TWI830522B - Method for enhancing memory protection and computing system - Google Patents
Method for enhancing memory protection and computing system Download PDFInfo
- Publication number
- TWI830522B TWI830522B TW111146398A TW111146398A TWI830522B TW I830522 B TWI830522 B TW I830522B TW 111146398 A TW111146398 A TW 111146398A TW 111146398 A TW111146398 A TW 111146398A TW I830522 B TWI830522 B TW I830522B
- Authority
- TW
- Taiwan
- Prior art keywords
- physical address
- manager
- size information
- virtual
- virtual machine
- Prior art date
Links
- 230000002708 enhancing effect Effects 0.000 title claims description 10
- 238000000034 method Methods 0.000 title claims description 10
- 238000013507 mapping Methods 0.000 claims description 46
- 238000012544 monitoring process Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 4
- 238000004590 computer program Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
Description
本發明涉及記憶體保護技術領域,進一步地涉及能夠增強與操作系統內核相關的記憶體保護的方法及計算系統。 The present invention relates to the technical field of memory protection, and further relates to a method and a computing system that can enhance memory protection related to the operating system kernel.
對於使用單體操作系統(例如Linux)作為內核(kernel)的傳統Android 高階操作系統(Operating System,OS),資源(例如Linux內核分配的記憶體,其中Linux可針對應用程序(application,APP)、驅動程序和正在使用的服務控制該記憶體(memory))的保護由Linux內核或可信的執行環境(Trusted Execution Environment,TEE)實現。在Linux內核實現資源保護的情況下,由於Linux內核的安全隱患(vulnerability),很容易成為攻擊者的跳板,導致資源保護失效。另外,在由TEE實現資源保護的情況下,雖然TEE可能具有較高的安全性,但TEE可能資源有限,開銷較大,不利於功能發展。因此,迫切需要一種不會降低內核性能和不會增加成本的新的系統來保護由操作系統內核分配的記憶體。 For the traditional Android high-end operating system (Operating System, OS) that uses a single operating system (such as Linux) as the kernel (kernel), resources (such as memory allocated by the Linux kernel, where Linux can be targeted at applications (APPs), Drivers and services in use control the protection of this memory (memory) by the Linux kernel or a Trusted Execution Environment (Trusted Execution Environment, TEE). When the Linux kernel implements resource protection, due to the vulnerability of the Linux kernel, it can easily become a springboard for attackers, causing resource protection to fail. In addition, when resource protection is implemented by TEE, although TEE may have higher security, TEE may have limited resources and high overhead, which is not conducive to functional development. Therefore, there is an urgent need for a new system to protect memory allocated by the operating system kernel that does not reduce kernel performance and does not increase cost.
本發明提供能夠增強與操作系統內核相關的記憶體保護的方法及計算系統,可保證系統的安全性。 The present invention provides a method and a computing system that can enhance memory protection related to the operating system kernel and ensure the security of the system.
在一個實施例中,本發明提供的一種計算系統可包括:處理器,被配置為執行客戶虛擬機(VM),其中一操作系統(OS)運行於該客戶VM上,一應用程序(APP)運行於該OS上,其中該OS的內核包括:保護服務模塊,被配置為接收該APP的客戶端發送的至少一個虛擬地址和第一尺寸信息;和記憶體管理單元(MMU)管理器,被配置為管理MMU;該計算系統還包括虛擬機管理器,被配置為接收由該保護服務模塊發送的該至少一個虛擬地址和該第一尺寸信息;該計算系統還包括主VM,該主VM包括:保護管理器,被配置為接收該虛擬機管理器發送的該至少一個虛擬地址和該第一尺寸信息,根據該至少一個虛擬地址和該第一尺寸信息獲取物理地址陣列和對應於該物理地址陣列的第二尺寸信息,並根據該物理地址陣列和該第二尺寸信息保護由該OS的內核分配的記憶體。 In one embodiment, a computing system provided by the present invention may include: a processor configured to execute a guest virtual machine (VM), wherein an operating system (OS) runs on the guest VM, and an application program (APP) Run on the OS, wherein the kernel of the OS includes: a protection service module configured to receive at least one virtual address and first size information sent by the client of the APP; and a memory management unit (MMU) manager, configured to configured to manage the MMU; the computing system also includes a virtual machine manager configured to receive the at least one virtual address and the first size information sent by the protection service module; the computing system also includes a main VM, the main VM includes : a protection manager configured to receive the at least one virtual address and the first size information sent by the virtual machine manager, and obtain the physical address array and the physical address corresponding to the at least one virtual address and the first size information. Second size information of the array, and protecting the memory allocated by the kernel of the OS based on the physical address array and the second size information.
在一個實施例中,本發明提供的一種能夠增強記憶體保護的方法,實施於包括處理器的計算系統中,該方法包括:在客戶虛擬機(VM)上運行操作系統(OS);在該OS上運行一應用程序(APP);由虛擬機管理器接收該APP的客戶端發送的至少一個虛擬地址和第一尺寸信息;由主VM接收該虛擬機管理器發送的該至少一個虛擬地址和該第一尺寸信息;由該主VM根據該至少一個虛擬地址和該第一尺寸信息獲取物理地址陣列和對應於該物理地址陣列的第二尺寸信息,並根據該物理地址陣列和該第二尺寸信息保護由該OS的內核分配的記憶體。 In one embodiment, the present invention provides a method for enhancing memory protection, which is implemented in a computing system including a processor. The method includes: running an operating system (OS) on a guest virtual machine (VM); An application program (APP) is run on the OS; the virtual machine manager receives at least one virtual address and first size information sent by the client of the APP; the main VM receives the at least one virtual address and the first size information sent by the virtual machine manager The first size information; the host VM obtains the physical address array and the second size information corresponding to the physical address array according to the at least one virtual address and the first size information, and obtains the physical address array and the second size information according to the physical address array and the second size information. Information protects memory allocated by the OS's kernel.
10:電子設備 10: Electronic equipment
12:處理器 12: Processor
14:存儲設備 14:Storage device
16:硬體電路 16:Hardware circuit
20,30,40:系統 20,30,40:System
200,300,400:客戶虛擬機 200, 300, 400: Guest virtual machine
202,302,402:應用程序 202,302,402:Application
204,304,404:客戶端 204,304,404:Client
206,306,406:保護服務模塊 206,306,406: Protection service module
208,308,408:MMU管理器 208,308,408:MMU manager
209,322,409:邏輯到物理地址映射表 209,322,409: Logical to physical address mapping table
210,310,410:記憶體 210,310,410: memory
220,320,420:虛擬機管理器 220,320,420:Virtual machine manager
240,340,440:主虛擬機 240,340,440: Primary virtual machine
242,342,442:保護管理器 242,342,442: Protection Manager
244,344:MMU完整性保護模塊 244,344:MMU integrity protection module
309:虛擬邏輯到物理地址映射表 309: Virtual logical to physical address mapping table
321:虛擬邏輯到物理地址映射表管理器 321: Virtual logical to physical address mapping table manager
444:MMU完整性監視器 444:MMU Integrity Monitor
圖1依據本發明的一個實施例示出電子設備10的圖示。 Figure 1 shows a diagram of an electronic device 10 according to one embodiment of the present invention.
圖2示出根據本發明實施例的能夠增強與操作系統的內核相關聯的記憶體保護的系統20。 Figure 2 illustrates a system 20 capable of enhancing memory protection associated with the kernel of an operating system in accordance with an embodiment of the present invention.
圖3依據本發明的另一個實施例示出能夠增強與操作系統內核相關的記憶體保護的系統30。 Figure 3 illustrates a system 30 capable of enhancing memory protection associated with an operating system kernel according to another embodiment of the present invention.
圖4依據本發明的另一個實施例示出能夠增強與操作系統內核相關的記憶體保護的系統40。 Figure 4 illustrates a system 40 capable of enhancing memory protection associated with an operating system kernel according to another embodiment of the present invention.
下面的描述是為了說明本發明的一般原理而作出的,故不應被理解為是限制性的。本發明的範圍最好通過參考所附申請專利範圍來確定。 The following description is provided to illustrate the general principles of the invention and should not be construed as limiting. The scope of the invention can best be determined by reference to the appended claims.
圖1依據本發明的一個實施例示出電子設備10的圖示。作為舉例而非限制,電子設備10可為便攜式設備,例如智能手機或平板電腦。電子設備10可包括處理器12、存儲設備(storage device)14和硬體電路16。處理器12可以是單核處理器或多核處理器。存儲設備14是計算機可讀介質,用於存儲計算機程序代碼PROG。處理器12配備有軟體執行能力。計算機程序代碼PROG可以包括複數個軟體模塊。因此,當由處理器12加載並執行時,計算機程序代碼PROG指示處理器12執行軟體模塊的指定功能。電子設備10可視為使用計算機程序產品的計算機系統,該計算機程序產品包括包含計算機程序代碼的計算機可讀介質。硬體電路16是純硬體,可以僅由邏輯閘組成,並且無需軟體執行即可執行指定功能。本發明提出的用於增強與操作系統(OS)的內核相關聯的記憶體(memory)保護的系統可位於電子設備10上。例如,該系統可以包括由在處理器12上運行的計算機程序代碼PROG實現的基於軟體的功能和由硬體電路16實現的基於硬 體的功能。 Figure 1 shows a diagram of an electronic device 10 according to one embodiment of the present invention. By way of example and not limitation, the electronic device 10 may be a portable device, such as a smartphone or a tablet. Electronic device 10 may include a processor 12, a storage device 14, and hardware circuitry 16. Processor 12 may be a single-core processor or a multi-core processor. Storage device 14 is a computer-readable medium for storing computer program code PROG. The processor 12 is equipped with software execution capabilities. The computer program code PROG may include a plurality of software modules. Thus, when loaded and executed by processor 12, computer program code PROG instructs processor 12 to perform the specified functions of the software module. The electronic device 10 may be considered a computer system using a computer program product including a computer-readable medium containing computer program code. The hardware circuit 16 is pure hardware, which may only consist of logic gates, and can perform specified functions without software execution. The system proposed by the present invention for enhancing memory protection associated with the kernel of an operating system (OS) may be located on the electronic device 10 . For example, the system may include software-based functions implemented by computer program code PROG running on processor 12 and hardware-based functions implemented by hardware circuitry 16 body functions.
圖2示出根據本發明實施例的能夠增強與操作系統的內核相關聯的記憶體保護的系統20。系統20可包括處理器(例如,圖1中所示的處理器12)。處理器可被配置為執行軟體模塊,包括客戶(guest)虛擬機(Virtual Machine,VM)200、虛擬機管理器(hypervisor)220和主VM 240。Android可以在客戶VM 200上運行(即,客戶VM 200的操作系統是Android),應用程序(APP)202可以在Android上運行,Android的內核可以是Linux(為簡潔起見,以下標記為“Linux內核”)。為了增強對Linux內核分配的記憶體210的保護(例如,Linux內核可針對APP、驅動器和在使用的服務控制記憶體),APP 202的客戶端204可以向Linux內核發送至少一個虛擬地址(virtual address,VA)和與該至少一個虛擬地址VA對應的第一尺寸信息SIZE_1,其中該至少一個虛擬地址VA可以表示記憶體210的虛擬地址,並且該第一尺寸信息SIZE_1可以表示記憶體210的大小。 Figure 2 illustrates a system 20 capable of enhancing memory protection associated with the kernel of an operating system in accordance with an embodiment of the present invention. System 20 may include a processor (eg, processor 12 shown in Figure 1). The processor may be configured to execute software modules, including a guest virtual machine (VM) 200 , a virtual machine manager (hypervisor) 220 , and a host VM 240 . Android can run on the guest VM 200 (ie, the operating system of the guest VM 200 is Android), the application (APP) 202 can run on Android, and the kernel of Android can be Linux (for brevity, the following is labeled "Linux" kernel"). To enhance protection of memory 210 allocated by the Linux kernel (eg, the Linux kernel may control memory for APPs, drivers, and services in use), the client 204 of the APP 202 may send at least one virtual address to the Linux kernel. , VA) and the first size information SIZE_1 corresponding to the at least one virtual address VA, where the at least one virtual address VA may represent the virtual address of the memory 210 , and the first size information SIZE_1 may represent the size of the memory 210 .
Linux內核可包括保護服務模塊206和記憶體管理單元(Memory Management Unit,MMU)管理器208。保護服務模塊206可用於接收APP 202的客戶端204發送的至少一個虛擬地址VA和第一尺寸信息SIZE_1,以用於保護記憶體210。MMU管理器208可被配置為管理MMU(未在圖1中示出)。在該實施例中,MMU管理器208可以包括至少一個邏輯到物理(Logical-to-Physical,L2P)地址映射表209(在圖2中標記為“L2P表”),並且MMU管理器208可以被配置為根據至少一個L2P地址映射表209將至少一個虛擬地址VA轉換成至少一個物理地址,以產生物理地址陣列PA_ARRAY及對應物理地址陣列PA_ARRAY的第二尺寸信息SIZE_2,其中第二尺寸信息SIZE_2可以表示物理地址陣列PA_ARRAY的大小。虛擬機管理器220可被配置為接收由保護服務模塊206發送 的至少一個虛擬地址VA和第一尺寸信息SIZE_1。 The Linux kernel may include a protection service module 206 and a Memory Management Unit (MMU) manager 208 . The protection service module 206 may be configured to receive at least one virtual address VA and first size information SIZE_1 sent by the client 204 of the APP 202 for protecting the memory 210 . MMU manager 208 may be configured to manage MMUs (not shown in Figure 1). In this embodiment, the MMU manager 208 may include at least one logical-to-Physical (L2P) address mapping table 209 (labeled "L2P table" in FIG. 2 ), and the MMU manager 208 may be Configured to convert at least one virtual address VA into at least one physical address according to at least one L2P address mapping table 209 to generate a physical address array PA_ARRAY and second size information SIZE_2 corresponding to the physical address array PA_ARRAY, where the second size information SIZE_2 may represent The size of the physical address array PA_ARRAY. Virtual machine manager 220 may be configured to receive the at least one virtual address VA and first size information SIZE_1.
主VM 240可包括保護管理器242,其中保護管理器242可被配置為:接收虛擬機管理器220發送的至少一個虛擬地址VA和第一尺寸信息SIZE_1;根據至少一個虛擬地址VA和第一尺寸信息SIZE_1從MMU管理器208獲取物理地址陣列PA_ARRAY和第二尺寸信息SIZE_2;根據物理地址陣列PA_ARRAY和第二尺寸信息SIZE_2保護記憶體210。此外,主VM 240可進一步包括MMU完整性保護模塊244。MMU完整性保護模塊244可以被配置為保護至少一個L2P地址映射表209(在圖2中標記為“保護”)。 The main VM 240 may include a protection manager 242, where the protection manager 242 may be configured to: receive at least one virtual address VA and first size information SIZE_1 sent by the virtual machine manager 220; The information SIZE_1 obtains the physical address array PA_ARRAY and the second size information SIZE_2 from the MMU manager 208; the memory 210 is protected according to the physical address array PA_ARRAY and the second size information SIZE_2. Additionally, the master VM 240 may further include an MMU integrity protection module 244. MMU integrity protection module 244 may be configured to protect at least one L2P address mapping table 209 (labeled "Protect" in Figure 2).
考慮主VM 240僅包括保護管理器242且從虛擬機管理器220接收物理地址陣列PA_ARRAY和第二尺寸信息SIZE_2的情形(例如,稱之為“情形1”),也即,保護服務模塊206根據至少一個虛擬地址VA和第一尺寸信息SIZE_1從MMU管理器208獲取物理地址陣列PA_ARRAY和第二尺寸信息SIZE_2,並通過虛擬機管理器220將物理地址陣列PA_ARRAY和第二尺寸信息SIZE_2發送到保護管理器242。在該情形中(也即,情形1),在安全方面,從MMU管理器208獲取的物理地址陣列PA_ARRAY的可信度無法被確定,並且在通過虛擬機管理器220將獲取的物理地址陣列PA_ARRAY傳輸到保護管理器242的過程中,獲取的物理地址陣列PA_ARRAY可能被篡改或攻擊(例如,攻擊者可能利用虛假的保護服務模塊攻擊系統20)。在性能方面,通過虛擬機管理器220將物理地址陣列PA_ARRAY傳輸到保護管理器242可能會降低系統20的性能。例如,為了保護大小為32兆字節(megabytes,MB)的記憶體,需要傳輸大小為34千字節(kilobytes,KB)的物理地址陣列。 Consider the case where the main VM 240 only includes the protection manager 242 and receives the physical address array PA_ARRAY and the second size information SIZE_2 from the virtual machine manager 220 (eg, referred to as "case 1"), that is, the protection service module 206 At least one virtual address VA and the first size information SIZE_1 obtain the physical address array PA_ARRAY and the second size information SIZE_2 from the MMU manager 208, and send the physical address array PA_ARRAY and the second size information SIZE_2 to the protection management through the virtual machine manager 220 Device 242. In this case (ie, case 1), the credibility of the physical address array PA_ARRAY obtained from the MMU manager 208 cannot be determined in terms of security, and the physical address array PA_ARRAY obtained through the virtual machine manager 220 During the process of being transmitted to the protection manager 242, the obtained physical address array PA_ARRAY may be tampered with or attacked (for example, an attacker may use a fake protection service module to attack the system 20). In terms of performance, transferring the physical address array PA_ARRAY to the protection manager 242 through the virtual machine manager 220 may degrade the performance of the system 20 . For example, to protect a memory of 32 megabytes (MB), a physical address array of 34 kilobytes (KB) needs to be transferred.
相較於該情形(也即,情形1),在圖2的系統20中,通過虛擬機管理器220將至少一個虛擬地址VA和第一尺寸信息SIZE_1從Linux內核傳輸到保護管理器242,可以防止系統20在通過虛擬機管理器220將至少一個虛擬地址VA和第一尺寸信息SIZE_1傳輸到保護管理器242的過程中被篡改或攻擊。MMU完整性保護模塊244可以被配置為通過保護至少一個L2P地址映射表209來確保至少一個虛擬地址VA和第一尺寸信息SIZE_1的可信度。最終,圖2所示的系統20就比這樣的情形(也即,情形1)安全得多。此外,保護管理器242可以根據虛擬機管理器220發送的至少一個虛擬地址VA和第一尺寸信息SIZE_1直接從MMU管理器208獲得物理地址陣列PA_ARRAY和第二尺寸信息SIZE_2,由此可以提高系統20的性能。 Compared with this situation (ie, situation 1), in the system 20 of FIG. 2, at least one virtual address VA and the first size information SIZE_1 are transferred from the Linux kernel to the protection manager 242 through the virtual machine manager 220, it is possible to The system 20 is prevented from being tampered with or attacked during the process of transmitting at least one virtual address VA and the first size information SIZE_1 to the protection manager 242 through the virtual machine manager 220 . The MMU integrity protection module 244 may be configured to ensure the credibility of at least one virtual address VA and the first size information SIZE_1 by protecting at least one L2P address mapping table 209 . Ultimately, the system 20 shown in Figure 2 is much more secure than this scenario (ie, Scenario 1). In addition, the protection manager 242 may directly obtain the physical address array PA_ARRAY and the second size information SIZE_2 from the MMU manager 208 according to the at least one virtual address VA and the first size information SIZE_1 sent by the virtual machine manager 220 , thereby improving the system 20 performance.
然而,保護至少一個L2P地址映射表209可能降低Linux內核的性能。此外,可以由MMU完整性保護模塊244將至少一個L2P地址映射表209的寫機制提供給MMU管理器208,其中寫機制的高開銷可能會影響MMU的性能。為了解決前面提到的問題,可將至少一個虛擬L2P地址映射表提供給MMU管理器。請參考圖3,圖3依據本發明的另一個實施例示出能夠增強與操作系統內核相關的記憶體保護的系統30。系統30可包括處理器(例如,圖1中所示的處理器12)。處理器可被配置為執行軟體模塊,包括客戶VM 300、虛擬機管理器320和主VM 340,其中Android可以在客戶VM 300上運行(即,客戶VM 300的操作系統是Android),APP 302可以在Android上運行,以及Android的內核可能是Linux。為了保護由Linux內核分配的記憶體310(例如,Linux內核可針對APP、驅動器和在使用的服務控制記憶體),APP 302的客戶端304可以向Linux內核發送至少一個虛擬地址VA和與該至少一個虛擬地址VA對應的第一尺寸信息SIZE_1,其中至少一個虛擬地址VA可以表示記憶體310的虛擬地址,並且第一尺寸信息SIZE_1 可以表示記憶體310的大小。 However, protecting at least one L2P address mapping table 209 may reduce the performance of the Linux kernel. Additionally, a write mechanism for at least one L2P address mapping table 209 may be provided to the MMU manager 208 by the MMU integrity protection module 244, where the high overhead of the write mechanism may affect the performance of the MMU. In order to solve the aforementioned problem, at least one virtual L2P address mapping table can be provided to the MMU manager. Please refer to FIG. 3 , which illustrates a system 30 capable of enhancing memory protection related to the operating system kernel according to another embodiment of the present invention. System 30 may include a processor (eg, processor 12 shown in Figure 1). The processor may be configured to execute software modules, including a guest VM 300, a virtual machine manager 320, and a main VM 340, where Android may run on the guest VM 300 (ie, the operating system of the guest VM 300 is Android), and the APP 302 may Runs on Android, and Android's kernel is probably Linux. To protect memory 310 allocated by the Linux kernel (e.g., the Linux kernel may control memory for APPs, drivers, and services in use), the client 304 of the APP 302 may send to the Linux kernel at least one virtual address VA and a link to the at least one virtual address VA. First size information SIZE_1 corresponding to one virtual address VA, where at least one virtual address VA can represent the virtual address of the memory 310, and the first size information SIZE_1 It can represent the size of memory 310.
Linux內核可包括保護服務模塊306和MMU管理器308。保護服務模塊306可被配置為接收APP 302的客戶端304發送的至少一個虛擬地址VA和第一尺寸信息SIZE_1,以用於保護記憶體310。MMU管理器308可被配置為管理MMU(未在圖3中示出)。虛擬機管理器320可被配置為接收保護服務模塊206發送的至少一個虛擬地址VA和第一尺寸信息SIZE_1。另外,虛擬機管理器320可以包括虛擬L2P地址映射表管理器321,其中虛擬L2P地址映射表管理器321可以被設置為:接收至少一個L2P地址映射表322(在圖3中標記為“L2P表”),根據至少一個L2P地址映射表322將至少一個虛擬地址VA轉換為至少一個物理地址,以生成物理地址陣列PA_ARRAY和對應物理地址陣列PA_ARRAY的第二尺寸信息SIZE_2,並提供至少一個虛擬L2P地址映射表309(圖3中標記為“vL2P表”)給MMU管理器308,其中第二尺寸信息SIZE_2可以表示物理地址陣列PA_ARRAY的大小。 The Linux kernel may include a protection services module 306 and an MMU manager 308. The protection service module 306 may be configured to receive at least one virtual address VA and first size information SIZE_1 sent by the client 304 of the APP 302 for protecting the memory 310 . MMU manager 308 may be configured to manage MMUs (not shown in Figure 3). The virtual machine manager 320 may be configured to receive at least one virtual address VA and first size information SIZE_1 sent by the protection service module 206 . In addition, the virtual machine manager 320 may include a virtual L2P address mapping table manager 321, wherein the virtual L2P address mapping table manager 321 may be configured to: receive at least one L2P address mapping table 322 (labeled "L2P table" in FIG. 3 "), convert at least one virtual address VA into at least one physical address according to at least one L2P address mapping table 322 to generate the physical address array PA_ARRAY and the second size information SIZE_2 corresponding to the physical address array PA_ARRAY, and provide at least one virtual L2P address The mapping table 309 (labeled "vL2P table" in Figure 3) is provided to the MMU manager 308, in which the second size information SIZE_2 may represent the size of the physical address array PA_ARRAY.
主VM 340可包括保護管理器342,其中保護管理器342可被配置為:接收虛擬機管理器320發送的至少一個虛擬地址VA和第一尺寸信息SIZE_1;根據至少一個虛擬地址VA和第一尺寸信息SIZE_1,從虛擬L2P地址映射表管理器321獲取物理地址陣列PA_ARRAY和第二尺寸信息SIZE_2;並根據物理地址陣列PA_ARRAY和第二尺寸信息SIZE_2保護記憶體310。此外,主VM 340還可包括MMU完整性保護模塊344。在本實施例中,MMU完整性保護模塊344可被配置為保護虛擬L2P地址映射表管理器321(在圖3中標記為“保護”)。 The main VM 340 may include a protection manager 342, where the protection manager 342 may be configured to: receive at least one virtual address VA and first size information SIZE_1 sent by the virtual machine manager 320; Information SIZE_1, obtains the physical address array PA_ARRAY and the second size information SIZE_2 from the virtual L2P address mapping table manager 321; and protects the memory 310 according to the physical address array PA_ARRAY and the second size information SIZE_2. In addition, the host VM 340 may also include an MMU integrity protection module 344. In this embodiment, the MMU integrity protection module 344 may be configured to protect the virtual L2P address mapping table manager 321 (labeled "protect" in Figure 3).
相較於圖2中所示的系統20,圖3中所示的系統30不需要MMU完整性 保護模塊344向MMU管理器308提供至少一個L2P映射表的寫機制,由此可以避免寫機制的高開銷影響MMU的性能。此外,MMU完整性保護模塊344保護的不是至少一個L2P地址映射表,而是虛擬L2P地址映射表管理器321。這樣,保護至少一個L2P地址映射表導致的Linux內核性能下降可以被改善。 Compared to the system 20 shown in Figure 2, the system 30 shown in Figure 3 does not require MMU integrity The protection module 344 provides the MMU manager 308 with a writing mechanism of at least one L2P mapping table, thereby preventing the high overhead of the writing mechanism from affecting the performance of the MMU. In addition, the MMU integrity protection module 344 protects not the at least one L2P address mapping table, but the virtual L2P address mapping table manager 321. In this way, the Linux kernel performance degradation caused by protecting at least one L2P address mapping table can be improved.
圖4依據本發明的另一個實施例示出能夠增強與操作系統內核相關的記憶體保護的系統40。系統40可包括處理器(例如,圖1中所示的處理器12)。處理器可被配置為執行軟體模塊,包括客戶VM 400、虛擬機管理器420和主VM 440,其中Android可以在客戶VM 400上運行(即,客戶VM 400的操作系統是Android),APP 402可以在Android上運行,而Android的內核可能是Linux。為了保護由Linux內核分配的記憶體410(例如,Linux內核可針對APP、驅動器和在使用的服務控制記憶體),APP 402的客戶端404可以向Linux內核發送至少一個虛擬地址VA和與至少一個虛擬地址VA對應的第一尺寸信息SIZE_1,其中,至少一個虛擬地址VA可以表示記憶體410的虛擬地址,第一尺寸信息SIZE_1可以表示記憶體410的大小。 Figure 4 illustrates a system 40 capable of enhancing memory protection associated with an operating system kernel according to another embodiment of the present invention. System 40 may include a processor (eg, processor 12 shown in Figure 1). The processor may be configured to execute software modules, including a guest VM 400, a virtual machine manager 420, and a main VM 440, where Android may run on the guest VM 400 (ie, the operating system of the guest VM 400 is Android), and the APP 402 may Runs on Android, and Android's kernel may be Linux. To protect memory 410 allocated by the Linux kernel (e.g., the Linux kernel may control memory for APPs, drivers, and services in use), the client 404 of the APP 402 may send at least one virtual address VA to the Linux kernel and communicate with at least one The first size information SIZE_1 corresponding to the virtual address VA, where at least one virtual address VA can represent the virtual address of the memory 410, and the first size information SIZE_1 can represent the size of the memory 410.
Linux內核可包括保護服務模塊406和MMU管理器408。保護服務模塊406可被配置為接收APP 402的客戶端404發送的至少一個虛擬地址VA和第一尺寸信息SIZE_1,以用於保護記憶體410。MMU管理器408可被配置為管理MMU(圖4中未示出)。在本實施例中,MMU管理器408可以包括至少一個L2P地址映射表409(在圖4中標記為“L2P表”),並且可以根據至少一L2P地址映射表409將至少一個虛擬地址VA轉換為至少一個物理地址,以產生物理地址陣列PA_ARRAY以及對應於物理地址陣列PA_ARRAY的第二尺寸信息SIZE_2,其中第二尺寸信息SIZE_2可代表物理地址陣列PA_ARRAY的大小。虛擬機管理器420 可被配置為接收保護服務模塊406發送的至少一個虛擬地址VA和第一尺寸信息SIZE_1。 The Linux kernel may include a protection services module 406 and an MMU manager 408. The protection service module 406 may be configured to receive at least one virtual address VA and first size information SIZE_1 sent by the client 404 of the APP 402 for protecting the memory 410 . MMU manager 408 may be configured to manage MMUs (not shown in Figure 4). In this embodiment, the MMU manager 408 may include at least one L2P address mapping table 409 (labeled "L2P table" in FIG. 4 ), and may convert at least one virtual address VA to At least one physical address is used to generate the physical address array PA_ARRAY and second size information SIZE_2 corresponding to the physical address array PA_ARRAY, where the second size information SIZE_2 may represent the size of the physical address array PA_ARRAY. Virtual Machine Manager 420 It may be configured to receive at least one virtual address VA and first size information SIZE_1 sent by the protection service module 406 .
主VM 440可包括保護管理器442,其中保護管理器442可被配置為:接收虛擬機管理器420發送的至少一個虛擬地址VA和第一尺寸信息SIZE_1;根據至少一個虛擬地址VA和第一尺寸信息SIZE_1從MMU管理器408獲取物理地址陣列PA_ARRAY和第二尺寸信息SIZE_2;根據物理地址陣列PA_ARRAY和第二尺寸信息SIZE_2保護記憶體410。圖2所示的系統20與圖4所示的系統40的區別在於,代替MMU完整性保護模塊,主VM 440還可以包括MMU完整性監視器444。MMU管理器408可以註冊(register)到虛擬機管理器420(在圖4中標記為“註冊”)。虛擬機管理器420還可以被設置為向主VM 440(更具體地,MMU完整性監視器444)發送監視信號MS,以用於監視MMU管理器408。 The main VM 440 may include a protection manager 442, where the protection manager 442 may be configured to: receive at least one virtual address VA and first size information SIZE_1 sent by the virtual machine manager 420; and according to the at least one virtual address VA and the first size The information SIZE_1 obtains the physical address array PA_ARRAY and the second size information SIZE_2 from the MMU manager 408; the memory 410 is protected according to the physical address array PA_ARRAY and the second size information SIZE_2. The difference between the system 20 shown in FIG. 2 and the system 40 shown in FIG. 4 is that instead of the MMU integrity protection module, the main VM 440 may also include an MMU integrity monitor 444. MMU manager 408 may register with virtual machine manager 420 (labeled "Register" in Figure 4). The virtual machine manager 420 may also be configured to send a monitoring signal MS to the master VM 440 (more specifically, the MMU integrity monitor 444) for monitoring the MMU manager 408.
在該實施例中,MMU 408對於系統40是合法的(legal),且MMU完整性監視器444可被配置為根據虛擬機管理器420發送的監視信號MS監視(圖4中標記為“監視”)對至少一個L2P地址映射表409的訪問(例如讀或寫),以確定對至少一個L2P地址映射表409的訪問對於系統40來說是否是非法的。響應於對至少一個L2P地址映射表409的訪問對於系統40來說是非法的,MMU完整性監視器444可以進一步被配置為防止保護管理器442保護Linux內核分配的記憶體410。與圖2所示的系統20相比,圖4中所示的系統40具有更好的Linux內核性能。然而,使用MMU管理器408進行監視的系統40並不比使用MMU管理器208保護的系統20安全,並且必須確保MMU管理器408對於系統40是合法的。 In this embodiment, MMU 408 is legal for system 40 and MMU integrity monitor 444 may be configured to monitor based on monitoring signals MS sent by virtual machine manager 420 (labeled "Monitor" in Figure 4 ) access (eg, read or write) to the at least one L2P address mapping table 409 to determine whether the access to the at least one L2P address mapping table 409 is illegal for the system 40 . In response to the access to the at least one L2P address mapping table 409 being illegal for the system 40 , the MMU integrity monitor 444 may be further configured to prevent the protection manager 442 from protecting the Linux kernel allocated memory 410 . The system 40 shown in Figure 4 has better Linux kernel performance than the system 20 shown in Figure 2 . However, a system 40 monitored using an MMU manager 408 is no more secure than a system 20 protected using an MMU manager 208, and one must ensure that the MMU manager 408 is legitimate for the system 40.
在一些實施例中,不需要確保MMU管理器408對於系統40是合法 的。無論MMU管理器408對系統40是否合法,MMU完整性監視器444可以被配置為監視MMU管理器408的資源,以確定MMU管理器408的資源對於系統40是否非法。響應於MMU管理器408的資源對於系統40是非法的,MMU完整性監視器444可以進一步被配置為防止保護管理器442保護記憶體410。 In some embodiments, there is no need to ensure that MMU manager 408 is legal to system 40 of. Regardless of whether the MMU manager 408 is legal for the system 40 , the MMU integrity monitor 444 may be configured to monitor the resources of the MMU manager 408 to determine whether the resources of the MMU manager 408 are illegal for the system 40 . In response to the resource of MMU manager 408 being illegal for system 40 , MMU integrity monitor 444 may be further configured to prevent protection manager 442 from protecting memory 410 .
綜上所述,由於保護管理器242/442根據虛擬機管理器220/420發送的至少一個虛擬地址VA和第一尺寸信息SIZE_1,直接從MMU管理器208/408獲取物理地址陣列PA_ARRAY和第二尺寸信息SIZE_2,可以提高系統20/40的性能。此外,可以防止系統20/40在通過虛擬機管理器220/420向保護管理器242/442傳輸至少一個虛擬地址VA和第一尺寸信息SIZE_1的過程中被篡改或攻擊,並且可以通過保護或監視至少一個L2P地址映射來保證至少一個虛擬地址VA和第一尺寸信息SIZE_1的可信度。結果,可以保證系統20/40的安全性。 In summary, since the protection manager 242/442 directly obtains the physical address array PA_ARRAY and the second size information SIZE_1 from the MMU manager 208/408 based on at least one virtual address VA and the first size information SIZE_1 sent by the virtual machine manager 220/420 Size information SIZE_2 can improve system performance by 20/40. Furthermore, the system 20/40 can be prevented from being tampered with or attacked during the transmission of at least one virtual address VA and the first size information SIZE_1 through the virtual machine manager 220/420 to the protection manager 242/442, and can be protected or monitored by At least one L2P address mapping ensures the credibility of at least one virtual address VA and the first size information SIZE_1. As a result, 20/40 security of the system can be guaranteed.
以上所述僅為本發明之較佳實施例,凡依本發明申請專利範圍所做之均等變化與修飾,皆應屬本發明之涵蓋範圍。 The above are only preferred embodiments of the present invention, and all equivalent changes and modifications made in accordance with the patentable scope of the present invention shall fall within the scope of the present invention.
20:系統 20:System
200:客戶虛擬機 200:Guest virtual machine
202:應用程序 202:Application
204:客戶端 204:Client
206:保護服務模塊 206: Protection service module
208:MMU管理器 208:MMU Manager
209:邏輯到物理地址映射表 209: Logical to physical address mapping table
210:記憶體 210:Memory
220:虛擬機管理器 220:Virtual machine manager
240:主虛擬機 240: Primary virtual machine
242:保護管理器 242: Protection Manager
244:MMU完整性保護模塊 244:MMU integrity protection module
Claims (11)
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US202263325136P | 2022-03-29 | 2022-03-29 | |
US63/325,136 | 2022-03-29 | ||
US17/978,995 | 2022-11-02 | ||
US17/978,995 US20230091722A1 (en) | 2021-09-17 | 2022-11-02 | System to enhance memory protection associated with kernel of operating system |
Publications (2)
Publication Number | Publication Date |
---|---|
TW202338618A TW202338618A (en) | 2023-10-01 |
TWI830522B true TWI830522B (en) | 2024-01-21 |
Family
ID=89856248
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW111146398A TWI830522B (en) | 2022-03-29 | 2022-12-02 | Method for enhancing memory protection and computing system |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI830522B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW201833775A (en) * | 2017-03-14 | 2018-09-16 | 晨星半導體股份有限公司 | Storage space management and memory access control method and apparatus |
TW202113648A (en) * | 2019-08-16 | 2021-04-01 | 國立交通大學 | System and method for performing trusted computing with remote attestation and information isolation on heterogeneous processors over open interconnect |
TW202125224A (en) * | 2019-12-23 | 2021-07-01 | 聯發科技股份有限公司 | System for performing secure operations and method for performing secure operations by a system |
US20210240638A1 (en) * | 2020-08-14 | 2021-08-05 | Intel Corporation | Mitigating security vulnerabilities with memory allocation markers in cryptographic computing systems |
-
2022
- 2022-12-02 TW TW111146398A patent/TWI830522B/en active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW201833775A (en) * | 2017-03-14 | 2018-09-16 | 晨星半導體股份有限公司 | Storage space management and memory access control method and apparatus |
TW202113648A (en) * | 2019-08-16 | 2021-04-01 | 國立交通大學 | System and method for performing trusted computing with remote attestation and information isolation on heterogeneous processors over open interconnect |
TW202125224A (en) * | 2019-12-23 | 2021-07-01 | 聯發科技股份有限公司 | System for performing secure operations and method for performing secure operations by a system |
US20210240638A1 (en) * | 2020-08-14 | 2021-08-05 | Intel Corporation | Mitigating security vulnerabilities with memory allocation markers in cryptographic computing systems |
Also Published As
Publication number | Publication date |
---|---|
TW202338618A (en) | 2023-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11467982B2 (en) | Virtualization-based platform protection technology | |
EP3814914B1 (en) | Peripheral device with resource isolation | |
US11443034B2 (en) | Trust zone-based operating system and method | |
CN109918919B (en) | Management of authentication variables | |
US8397306B1 (en) | Security domain in virtual environment | |
Markuze et al. | True IOMMU protection from DMA attacks: When copy is faster than zero copy | |
US8640194B2 (en) | Information communication device and program execution environment control method | |
US9059855B2 (en) | System and method for implementing a trusted dynamic launch and trusted platform module (TPM) using secure enclaves | |
US8776245B2 (en) | Executing trusted applications with reduced trusted computing base | |
US8327415B2 (en) | Enabling byte-code based image isolation | |
KR20180099682A (en) | Systems and Methods for Virtual Machine Auditing | |
US9678687B2 (en) | User mode heap swapping | |
CN106415574B (en) | Employing an intermediary structure for facilitating access to secure memory | |
US20230091722A1 (en) | System to enhance memory protection associated with kernel of operating system | |
TWI830522B (en) | Method for enhancing memory protection and computing system | |
KR20220092372A (en) | Method and apparatus for run-time memory isolation across different execution realms | |
CN116893873A (en) | Method and computing system capable of enhancing memory protection | |
US20230098991A1 (en) | Systems, methods, and media for protecting applications from untrusted operating systems | |
KR20200066011A (en) | Method and apparatus for protecting kernel without nested paging | |
WO2019148447A1 (en) | Data protection method and data protection device | |
Chhabra | Towards Performance, System and Security Issues in Secure Processor Architectures |