公开(公告)号：US20100192026A1

公开(公告)日：2010-07-29

申请号：US12360259

申请日：2009-01-27

Applicant: Martin Abadi ,  Ulfar Erlingsson ,  Daniel Luchaup ,  Marcus Peinado

Inventor： Martin Abadi ,  Ulfar Erlingsson ,  Daniel Luchaup ,  Marcus Peinado

IPC: G06F11/08

CPC classification number: G06F11/08

Abstract: Runtime checks on a program may be used to determine whether a pointer points to a legitimate target before the pointer is dereferenced. Legitimate addresses, such as address-taken local variables (ATLVs), global variables, heap locations, functions, etc., are tracked, so that the legitimate targets of pointers are known. The program may be transformed so that, prior to dereferencing a pointer, the pointer is checked to ensure that it points to a legitimate address. If the pointer points to a legitimate address, then the dereferencing may proceed. Otherwise, an error routine may be invoked. One example way to keep track of legitimate addresses is to group address-taken variables together within a specific range or ranges of memory addresses, and to check that a pointer has a value within that range prior to dereferencing the pointer. However, addresses may be tracked in other ways.

Abstract translation: 在指针取消引用之前，可以使用对程序的运行时检查来确定指针是否指向合法目标。 跟踪合法的地址，例如地址采取的局部变量（ATLV），全局变量，堆位置，函数等，以便指针的合法目标是已知的。 程序可以被转换，使得在取消引用指针之前，检查指针以确保它指向合法的地址。 如果指针指向合法的地址，则可以进行取消引用。 否则，可以调用错误例程。 跟踪合法地址的一个示例方法是将地址采集的变量组合在一个特定的存储器地址范围或范围内，并在取消引用指针之前检查指针是否具有该范围内的值。 但是，地址可以以其他方式跟踪。

公开(公告)号：US20090265715A1

公开(公告)日：2009-10-22

申请号：US12492045

申请日：2009-06-25

Applicant: Ulfar Erlingsson ,  Edward P. Wobber ,  Paul Barham ,  Thomas Roeder

Inventor： Ulfar Erlingsson ,  Edward P. Wobber ,  Paul Barham ,  Thomas Roeder

IPC: G06F3/00 ,  G06F9/455 ,  G06F9/00 ,  G06F11/00

CPC classification number: G06F9/4411 ,  G06F9/4401

Abstract: Extensions to operating systems or software applications can be hosted in virtual environments to fault isolate the extension. A generic proxy extension invoked by a host process can coordinate the invocation of an appropriate extension in a virtual process that can provide the same support APIs as the host process. Furthermore, a user mode context can be provided to the extension in the virtual process through memory copying or page table modifications. In addition, the virtual process, especially a virtual operating system process running on a virtual machine, can be efficiently started by cloning a coherent state. A coherent state can be created when a virtual machine starts up, or when the computing device starts up and the appropriate parameters are observed and saved. Alternatively, the operating system can create a coherent state by believing there is an additional CPU during the boot process.

Abstract translation: 操作系统或软件应用程序的扩展可以托管在虚拟环境中，以隔离扩展。 由主机进程调用的通用代理扩展可以协调在虚拟进程中调用适当的扩展，该虚拟进程可以提供与主机进程相同的支持API。 此外，可以通过存储器复制或页表修改在虚拟过程中向用户模式上下文提供。 此外，可以通过克隆一致的状态来有效地启动虚拟进程，特别是在虚拟机上运行的虚拟操作系统进程。 当虚拟机启动时，或者计算设备启动并且观察并保存适当的参数时，可以创建一致的状态。 或者，操作系统可以通过相信在引导过程中有额外的CPU来创建一致的状态。

公开(公告)号：US20090210888A1

公开(公告)日：2009-08-20

申请号：US12030868

申请日：2008-02-14

Applicant: Mingtzong Lee ,  Peter Wieland ,  Nar Ganapathy ,  Ulfar Erlingsson ,  Martin Abadi ,  John Richardson

Inventor： Mingtzong Lee ,  Peter Wieland ,  Nar Ganapathy ,  Ulfar Erlingsson ,  Martin Abadi ,  John Richardson

IPC: G06F9/54

CPC classification number: G06F9/4812 ,  G06F9/45558 ,  G06F2009/45579

Abstract: A device driver includes a hypervisor stub and a virtual machine driver module. The device driver may access device registers while operating within a virtual machine to promote system stability while providing a low-latency software response from the system upon interrupts. Upon receipt of an interrupt, the hypervisor stub may run an interrupt service routine and write information to shared memory. Control is passed to the virtual machine driver module by a reflector. The virtual machine driver module may then read the information from the shared memory to continue servicing the interrupt.

Abstract translation: 设备驱动程序包括虚拟机管理程序存根和虚拟机驱动程序模块。 设备驱动程序可以在虚拟机中运行时访问设备寄存器，以提高系统稳定性，同时在中断时提供来自系统的低延迟软件响应。 在接收到中断时，管理程序存根可以运行中断服务程序并将信息写入共享存储器。 控制通过反射器传递给虚拟机驱动程序模块。 然后，虚拟机驱动器模块可以从共享存储器读取信息以继续服务中断。

公开(公告)号：US07574709B2

公开(公告)日：2009-08-11

申请号：US10837971

申请日：2004-04-30

Applicant: Ulfar Erlingsson ,  Edward P. Wobber ,  Paul Barham ,  Thomas Roeder

Inventor： Ulfar Erlingsson ,  Edward P. Wobber ,  Paul Barham ,  Thomas Roeder

IPC: G06F3/00 ,  G06F9/00 ,  G06F9/455 ,  G06F11/00

CPC classification number: G06F9/4411 ,  G06F9/4401

Abstract: Extensions to operating systems or software applications can be hosted in virtual environments to fault isolate the extension. The virtual environment in which extensions designed to control hardware devices can safely execute can be efficiently created during an initial startup sequence of a host environment by indicating to the host environment that a second processing unit is present in the computing system allowing the host environment to create a coherent state. A virtual process, especially a virtual operating system process running on a virtual machine, can be efficiently started by the created coherent state. A coherent state can be created when an operating system starts up and the appropriate parameters are observed and saved. Alternatively, an operating system of the host environment can create the coherent state by receiving indication of the second processing unit during the boot process.

Abstract translation: 操作系统或软件应用程序的扩展可以托管在虚拟环境中，以隔离扩展。 通过向主机环境指示在计算系统中存在允许主机环境创建的第二处理单元，可以在主机环境的初始启动顺序期间有效地创建用于控制硬件设备的扩展的安全执行的虚拟环境 一个连贯的状态。 可以通过创建的相干状态有效地启动虚拟进程，特别是在虚拟机上运行的虚拟操作系统进程。 当操作系统启动并且观察并保存适当的参数时，可以创建相干状态。 或者，主机环境的操作系统可以通过在引导过程期间接收第二处理单元的指示来创建相干状态。

公开(公告)号：US20090138625A1

公开(公告)日：2009-05-28

申请号：US11944436

申请日：2007-11-22

Applicant: Mingtzong Lee ,  Peter Wieland ,  Nar Ganapathy ,  Ulfar Erlingsson ,  Martin Abadi ,  John Richardson

Inventor： Mingtzong Lee ,  Peter Wieland ,  Nar Ganapathy ,  Ulfar Erlingsson ,  Martin Abadi ,  John Richardson

IPC: G06F9/54 ,  G06F13/28 ,  G06F13/24

CPC classification number: G06F13/28 ,  G06F9/4812 ,  G06F9/545

Abstract: A device driver includes a kernel stub and a user-mode module. The device driver may access device registers while operating in user-mode to promote system stability while providing a low-latency software response from the system upon interrupts. Upon receipt of an interrupt, the kernel stub may run an interrupt service routine and write information to shared memory. Control is passed to the user-mode module by a reflector. The user-mode module may then read the information from the shared memory to continue servicing the interrupt.

Abstract translation: 设备驱动程序包括内核存根和用户模式模块。 设备驱动程序可以在用户模式下操作时访问设备寄存器，以提高系统稳定性，同时在中断时从系统提供低延迟软件响应。 收到中断后，内核存根可以运行中断服务程序并将信息写入共享存储器。 控制由反射器传递给用户模式模块。 然后，用户模式模块可以从共享存储器读取信息以继续维护中断。

公开(公告)号：US20070234005A1

公开(公告)日：2007-10-04

申请号：US11393014

申请日：2006-03-29

Applicant: Ulfar Erlingsson ,  Mark Manasse ,  Frank McSherry ,  Abraham Flaxman

Inventor： Ulfar Erlingsson ,  Mark Manasse ,  Frank McSherry ,  Abraham Flaxman

IPC: G06F12/00

CPC classification number: G06F17/30949

Abstract: Hash tables comprising load factors of up to and above 97% are disclosed. The hash tables may be associated with three or more hash functions, each hash function being applied to a key to identify a location in a hash table. The load factor of a hash table may be increased, obviating any need to increase the size of the hash table to accommodate more insertions. Such increase in load factor may be accomplished by a combination of increasing the number of cells per bucket in a hash table and increasing the number of hash functions associated with the hash table.

Abstract translation: 公开了包含高达和高于97％的负载因子的哈希表。 散列表可以与三个或更多个散列函数相关联，每个散列函数被应用于密钥以标识散列表中的位置。 可以增加散列表的负载因子，从而避免了增加哈希表的大小以适应更多的插入的任何需要。 负载因子的这种增加可以通过增加哈希表中的每个桶的单元数目并增加与散列表相关联的散列函数的数量的组合来实现。

公开(公告)号：US20050246718A1

公开(公告)日：2005-11-03

申请号：US10837971

申请日：2004-04-30

Applicant: Ulfar Erlingsson ,  Edward Wobber ,  Paul Barham ,  Thomas Roeder

Inventor： Ulfar Erlingsson ,  Edward Wobber ,  Paul Barham ,  Thomas Roeder

IPC: G06F9/54 ,  G06F9/44 ,  G06F9/445 ,  H04K1/00

CPC classification number: G06F9/4411 ,  G06F9/4401

Abstract: Extensions to operating systems or software applications can be hosted in virtual environments to fault isolate the extension. A generic proxy extension invoked by a host process can coordinate the invocation of an appropriate extension in a virtual process that can provide the same support APIs as the host process. Furthermore, a user mode context can be provided to the extension in the virtual process through memory copying or page table modifications. In addition, the virtual process, especially a virtual operating system process running on a virtual machine, can be efficiently started by cloning a coherent state. A coherent state can be created when a virtual machine starts up, or when the computing device starts up and the appropriate parameters are observed and saved. Alternatively, the operating system can create a coherent state by believing there is an additional CPU during the boot process.

Abstract translation: 操作系统或软件应用程序的扩展可以托管在虚拟环境中，以隔离扩展。 由主机进程调用的通用代理扩展可以协调在虚拟进程中调用适当的扩展，该虚拟进程可以提供与主机进程相同的支持API。 此外，可以通过存储器复制或页表修改在虚拟过程中向用户模式上下文提供。 此外，可以通过克隆一致的状态来有效地启动虚拟进程，特别是在虚拟机上运行的虚拟操作系统进程。 当虚拟机启动时，或者计算设备启动并且观察并保存适当的参数时，可以创建一致的状态。 或者，操作系统可以通过相信在引导过程中有额外的CPU来创建一致的状态。

公开(公告)号：US08677141B2

公开(公告)日：2014-03-18

申请号：US11944460

申请日：2007-11-23

Applicant: Ulfar Erlingsson ,  Yinglian Xie ,  Ben Livshits ,  Cedric Fournet

Inventor： Ulfar Erlingsson ,  Yinglian Xie ,  Ben Livshits ,  Cedric Fournet

IPC: G06F11/30 ,  H04L9/32 ,  G06F12/14 ,  G06F7/04 ,  G06F11/00 ,  H03M13/00 ,  G06F9/44

CPC classification number: H04L63/1416 ,  G06F21/305 ,  G06F21/54 ,  G06F2221/2119 ,  G06F2221/2141 ,  H04L63/102

Abstract: A client-side enforcement mechanism may allow application security policies to be specified at a server in a programmatic manner. Servers may specify security policies as JavaScript functions included in a page returned by the server and run before other scripts. At runtime, and during initial loading, the functions are invoked by the client on each page modification to ensure the page conforms to the security policy. As such, before a mutation takes effect, the policy may transform that mutation and the code and data of the page. Replicated code execution may take place at both the client and the server where the server runs its own shadow copy of a client-side application in a trusted execution environment so that the server may check that the method calls coming from the client correspond to a correct execution of the client-side application The redundant execution at the client can be untrusted, but serves to improve the responsiveness and performance of the Web application.

Abstract translation: 客户端执行机制可以允许以编程方式在服务器处指定应用安全策略。 服务器可以将安全策略指定为服务器返回的页面中包含的JavaScript函数，并在其他脚本之前运行。 在运行时，并且在初始加载期间，客户机在每次修改页面时调用这些功能，以确保页面符合安全策略。 因此，在突变生效之前，策略可以转换该突变以及页面的代码和数据。 复制的代码执行可以在客户端和服务器上进行，其中服务器在可信执行环境中运行其自己的客户端应用程序的卷影副本，以便服务器可以检查来自客户机的方法调用是否对应于正确的 客户端应用程序的执行客户机上的冗余执行可以不受信任，但用于提高Web应用程序的响应性和性能。

公开(公告)号：US08104021B2

公开(公告)日：2012-01-24

申请号：US11450493

申请日：2006-06-09

Applicant: Ulfar Erlingsson ,  Martin Abadi ,  Michael Vrable

Inventor： Ulfar Erlingsson ,  Martin Abadi ,  Michael Vrable

IPC: G06F9/45

CPC classification number: G06F21/52 ,  G06F12/1441

Abstract: A verifier performs static checks of machine code to ensure that the code will execute safely. After verification is performed, the code is executed. The code modules generated by the rewriter and verified by the verifier prevent runtime code modifications so that properties established by the verifier cannot be invalidated during execution. Guards ensure that control flows only as expected. Stack data that must be shared within a code module, and which may therefore be corrupted during execution, is placed on a separate data stack. Other stack data remains on the regular execution stack, called the control stack. Multiple memory accesses can be checked by a single memory-range guard, optimized for fast access to the most-frequently used memory.

Abstract translation: 验证者执行机器代码的静态检查，以确保代码将安全执行。 执行验证后，执行代码。 由重写器生成并由验证者验证的代码模块防止运行时代码修改，以便验证者建立的属性在执行过程中不能被无效。 护卫员确保控制只能按预期方式流动。 必须在代码模块中共享的堆栈数据，并且可能在执行期间被破坏的堆栈数据被放置在单独的数据堆栈上。 其他堆栈数据保留在常规执行堆栈中，称为控制堆栈。 多个存储器访问可以由单个存储器范围保护来检查，优化用于快速访问最常用的存储器。

公开(公告)号：US07870336B2

公开(公告)日：2011-01-11

申请号：US11592808

申请日：2006-11-03

Applicant: Ulfar Erlingsson ,  Martin Abadi

Inventor： Ulfar Erlingsson ,  Martin Abadi

IPC: G06F13/00

CPC classification number: G06F12/1441 ,  G06F12/0802 ,  G06F12/1027 ,  G06F12/1408

Abstract: Unobservable memory regions, referred to as stealth memory regions, are allocated or otherwise provided to store data whose secrecy is to be protected. The stealth memory is prevented from exposing information about its usage pattern to an attacker or adversary. In particular, the usage patterns may not be deduced via the side-channels.

Abstract translation: 被称为隐形存储器区域的不可观察的存储区域被分配或以其他方式提供以存储其保密性被保护的数据。 隐身记忆被阻止将其使用模式的信息暴露给攻击者或对手。 特别地，不能通过侧信道来推断使用模式。