公开(公告)号：US20170344496A1

公开(公告)日：2017-11-30

申请号：US15682056

申请日：2017-08-21

Applicant: VMware, Inc.

Inventor： Xiaoxin CHEN ,  Carl A. WALDSPURGER ,  Pratap SUBRAHMANYAM ,  Tal GARFINKEL ,  Dan BONEH

IPC: G06F12/14

CPC classification number: G06F12/1408 ,  G06F12/1491 ,  G06F21/6218 ,  G06F2212/151

Abstract: A virtual-machine-based system that may protect the privacy and integrity of application data, even in the event of a total operating system compromise. An application is presented with a normal view of its resources, but the operating system is presented with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Different views of “physical” memory are presented, depending on a context performing the access. An additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processors is provided.

公开(公告)号：US20160179564A1

公开(公告)日：2016-06-23

申请号：US15055468

申请日：2016-02-26

Applicant: VMware, Inc.

Inventor： Xiaoxin CHEN ,  Carl A. WALDSPURGER ,  Pratap SUBRAHMANYAM

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F12/109 ,  G06F12/1491 ,  G06F2009/45583 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/657

Abstract: Virtualization software establishes multiple execution environments within a virtual machine, wherein software modules executing in one environment cannot access private memory of another environment. A separate set of shadow memory address mappings is maintained for each execution environment. For example, a separate shadow page table may be maintained for each execution environment. The virtualization software ensures that the shadow address mappings for one execution environment do not map to the physical memory pages that contain the private code or data of another execution environment. When execution switches from one execution environment to another, the virtualization software activates the shadow address mappings for the new execution environment. A similar approach, using separate mappings, may also be used to prevent software modules in one execution environment from accessing the private disk space or other secondary storage of another execution environment.

Abstract translation: 虚拟化软件在虚拟机内建立多个执行环境，其中在一个环境中执行的软件模块不能访问另一环境的专用内存。 为每个执行环境维护一组单独的影子内存地址映射。 例如，可以为每个执行环境维护单独的影子页表。 虚拟化软件确保一个执行环境的影子地址映射不映射到包含其他执行环境的私有代码或数据的物理内存页面。 当执行从一个执行环境切换到另一个执行环境时，虚拟化软件会激活新执行环境的影子地址映射。 使用单独映射的类似方法也可用于防止一个执行环境中的软件模块访问另一个执行环境的专用磁盘空间或其他辅助存储。

公开(公告)号：US20230069152A1

公开(公告)日：2023-03-02

申请号：US17411792

申请日：2021-08-25

Applicant: VMware, Inc.

Inventor： Isam Wadih AKKAWI ,  Andreas NOWATZYK ,  Pratap SUBRAHMANYAM ,  Nishchay DUA ,  Adarsh Seethanadi NAYAK ,  Venkata Subhash Reddy PEDDAMALLU ,  Irina CALCIU

IPC: G06F12/0804 ,  G06F13/16 ,  G06F13/40

Abstract: In a computer system, a processor and an I/O device controller communicate with each other via a coherence interconnect and according to a cache coherence protocol. Registers of the I/O device controllers are mapped to the cache coherent memory space to allow the processor to treat the registers as cacheable memory. As a result, latency of processor commands executed by the I/O device controller is decreased, and size of data stored in the I/O device controller that can be accessed by the processor is increased from the size of a single register to the size of an entire cache line.

公开(公告)号：US20230023256A1

公开(公告)日：2023-01-26

申请号：US17488028

申请日：2021-09-28

Applicant: VMware, Inc.

Inventor： Irina CALCIU ,  Andreas NOWATZYK ,  Pratap SUBRAHMANYAM

IPC: G06F12/084

Abstract: A method of performing a copy-on-write on a shared memory page is carried out by a device communicating with a processor via a coherence interconnect. The method includes: adding a page table entry so that a request to read a first cache line of the shared memory page includes a cache-line address of the shared memory page and a request to write to a second cache line of the shared memory page includes a cache-line address of a new memory page; in response to the request to write to the second cache line, storing new data of the second cache line in a second memory and associating the second cache-line address with the new data stored in the second memory; and in response to a request to read the second cache line, reading the new data of the second cache line from the second memory.

公开(公告)号：US20230022096A1

公开(公告)日：2023-01-26

申请号：US17383342

申请日：2021-07-22

Applicant: VMware, Inc.

Inventor： Irina CALCIU ,  Andreas NOWATZYK ,  Pratap SUBRAHMANYAM

IPC: G06F21/53 ,  G06F21/54 ,  G06F21/55 ,  G06F9/455 ,  G06F12/0891

Abstract: While an application or a virtual machine (VM) is running, a device tracks accesses to cache lines to detect access patterns that indicate security attacks, such as cache-based side channel attacks or row hammer attacks. To enable the device to detect accesses to cache lines, the device is connected to processors via a coherence interconnect, and the application/VM data is stored in a local memory of the device. The device collects the cache lines of the application/VM data that are accessed while the application/VM is running into a buffer and the buffer is analyzed for access patterns that indicate security attacks.

公开(公告)号：US20230004496A1

公开(公告)日：2023-01-05

申请号：US17367048

申请日：2021-07-02

Applicant: VMware, Inc.

Inventor： Irina CALCIU ,  Andreas NOWATZYK ,  Isam Wadih AKKAWI ,  Venkata Subhash Reddy PEDDAMALLU ,  Pratap SUBRAHMANYAM

IPC: G06F12/0862

Abstract: Memory pages of a local application program are prefetched from a memory of a remote host. A method of prefetching the memory pages from the remote memory includes detecting that a cache-line access made by a processor executing the local application program is an access to a cache line containing page table data of the local application program, identifying data pages that are referenced by the page table data, and fetching the identified data pages from the remote memory and storing the fetched data pages in a local memory.

公开(公告)号：US20220414017A1

公开(公告)日：2022-12-29

申请号：US17355941

申请日：2021-06-23

Applicant: VMware, Inc.

Inventor： Nishchay DUA ,  Andreas NOWATZYK ,  Isam Wadih AKKAWI ,  Pratap SUBRAHMANYAM ,  Venkata Subhash Reddy PEDDAMALLU ,  Adarsh Seethanadi NAYAK

IPC: G06F12/0897 ,  G06F12/0831 ,  G06F12/0862 ,  G06F9/455

Abstract: The state of cache lines transferred into an out of caches of processing hardware is tracked by monitoring hardware. The method of tracking includes monitoring the processing hardware for cache coherence events on a coherence interconnect between the processing hardware and monitoring hardware, determining that the state of a cache line has changed, and updating a hierarchical data structure to indicate the change in the state of said cache line. The hierarchical data structure includes a first level data structure including first bits, and a second level data structure including second bits, each of the first bits associated with a group of second bits. The step of updating includes setting one of the first bits and one of the second bits in the group corresponding to the first bit that is being set, according to an address of said cache line.

公开(公告)号：US20200242035A1

公开(公告)日：2020-07-30

申请号：US16256562

申请日：2019-01-24

Applicant: VMware, Inc.

Inventor： Aasheesh KOLLI ,  Irina CALCIU ,  Jayneel GANDHI ,  Pratap SUBRAHMANYAM

IPC: G06F12/0817

Abstract: Described herein is a method for tracking changes to memory locations made by an application. In one embodiment, the application decides to start tracking and sends a list of virtual memory pages to be tracked to an operating system via an interface. The operating system converts the list of virtual memory pages to a list of physical addresses and sends the list of physical addresses to a hardware unit which performs the tracking by detecting write backs on a coherence interconnect coupled to the hardware unit. After the application ends tracking, the application requests a list of dirty cache lines. In response to the request, the operating system obtains the list of dirty cache lines from the hardware unit and adds the list to a buffer that the application can read. In other embodiments, the operating system can perform the tracking without the application making the request.

公开(公告)号：US20190004850A1

公开(公告)日：2019-01-03

申请号：US16102411

申请日：2018-08-13

Applicant: VMware, Inc.

Inventor： Xiaoxin CHEN ,  Carl A. WALDSPURGER ,  Pratap SUBRAHMANYAM

IPC: G06F9/46 ,  G06F9/448 ,  G06F9/48 ,  G06F9/455 ,  G06F11/14

Abstract: A virtual-machine-based system that identifies an application or process in a virtual machine in order to locate resources associated with the identified application. Access to the located resources is then controlled based on a context of the identified application. Those applications without the necessary context will have a different view of the resource.

公开(公告)号：US20170185531A9

公开(公告)日：2017-06-29

申请号：US14048515

申请日：2013-10-08

Applicant: VMware, Inc.

Inventor： Xiaoxin CHEN ,  Carl A. WALDSPURGER ,  Pratap SUBRAHMANYAM ,  Tal GARFINKEL ,  Dan BONEH

IPC: G06F12/14

CPC classification number: G06F12/1408 ,  G06F12/1491 ,  G06F21/6218 ,  G06F2212/151

Abstract: A virtual-machine-based system that may protect the privacy and integrity of application data, even in the event of a total operating system compromise. An application is presented with a normal view of its resources, but the operating system is presented with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Different views of “physical” memory are presented, depending on a context performing the access. An additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processors is provided.