公开(公告)号：US09195827B2

公开(公告)日：2015-11-24

申请号：US14473085

申请日：2014-08-29

Applicant: Google Inc.

Inventor： Eric R. Northup

IPC: G06F12/14 ,  G06F21/56 ,  G06F21/57 ,  G06F21/74 ,  G06F21/52 ,  G06F21/71

CPC classification number: G06F21/56 ,  G06F9/545 ,  G06F21/45 ,  G06F21/52 ,  G06F21/57 ,  G06F21/71 ,  G06F21/74

Abstract: Among other disclosed subject matter, a computer-implemented method includes initializing a first descriptor table and a second descriptor table. The first descriptor table is associated with a first permission level and the second descriptor table is associated with a second permission level that is different from the first permission level. The first descriptor table and the second descriptor table are associated with a hardware processor and initialized by an operating system kernel. The method also includes providing a memory address associated with the first descriptor table, in response to a descriptor table address request. The descriptor table address request is provided by a software process. The method also includes updating the second descriptor table, in response to an update request.

Abstract translation: 在其他公开的主题中，计算机实现的方法包括初始化第一描述符表和第二描述符表。 第一描述符表与第一权限级别相关联，并且第二描述符表与不同于第一许可级别的第二权限级别相关联。 第一描述符表和第二描述符表与硬件处理器相关联，并由操作系统内核初始化。 响应于描述符表地址请求，该方法还包括提供与第一描述符表相关联的存储器地址。 描述符表地址请求由软件进程提供。 该方法还包括响应于更新请求更新第二描述符表。

公开(公告)号：US09576129B2

公开(公告)日：2017-02-21

申请号：US14839594

申请日：2015-08-28

Applicant: Google Inc.

Inventor： Eric R. Northup

IPC: G06F12/14 ,  G06F21/56 ,  G06F21/57 ,  G06F21/74 ,  G06F21/52 ,  G06F21/71 ,  G06F9/54 ,  G06F21/45

CPC classification number: G06F21/56 ,  G06F9/545 ,  G06F21/45 ,  G06F21/52 ,  G06F21/57 ,  G06F21/71 ,  G06F21/74

Abstract: Among other disclosed subject matter, a computer-implemented method includes changing access permission level associated with a descriptor table responsive to request to update the descriptor table. In some implementation, before receiving the request to update, the descriptor table is maintained in a read-only state; and changing the access permission level comprises: allowing write access to the descriptor table responsive to determining that the update request is authorized.

Abstract translation: 在其他公开的主题中，计算机实现的方法包括响应于更新描述符表的请求而改变与描述符表相关联的访问许可级别。 在一些实现中，在接收到更新请求之前，描述符表保持在​​只读状态; 并且改变访问许可级别包括：响应于确定所述更新请求被授权，允许对所述描述符表的写访问。

公开(公告)号：US20150371041A1

公开(公告)日：2015-12-24

申请号：US14839594

申请日：2015-08-28

Applicant: Google Inc.

Inventor： Eric R. Northup

IPC: G06F21/56 ,  G06F9/54 ,  G06F21/52 ,  G06F21/45

CPC classification number: G06F21/56 ,  G06F9/545 ,  G06F21/45 ,  G06F21/52 ,  G06F21/57 ,  G06F21/71 ,  G06F21/74

Abstract: Among other disclosed subject matter, a computer-implemented method includes changing access permission level associated with a descriptor table responsive to request to update the descriptor table. In some implementation, before receiving the request to update, the descriptor table is maintained in a read-only state; and changing the access permission level comprises: allowing write access to the descriptor table responsive to determining that the update request is authorized.

Abstract translation: 在其他公开的主题中，计算机实现的方法包括响应于更新描述符表的请求而改变与描述符表相关联的访问许可级别。 在一些实现中，在接收到更新请求之前，描述符表保持在​​只读状态; 并且改变访问许可级别包括：响应于确定所述更新请求被授权，允许对所述描述符表的写访问。

公开(公告)号：US09448830B2

公开(公告)日：2016-09-20

申请号：US13830013

申请日：2013-03-14

Applicant: Google Inc.

Inventor： Evan K. Anderson ,  Alexander Mohr ,  Joseph S. Beda, III ,  Michael H. Waychison ,  Cory T. Maccarrone ,  Eric R. Northup ,  Sanjeet Singh Mehat

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F9/4555 ,  G06F2009/45595

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for service bridges. In one aspect, a method includes a host operating system performs operations comprising: receiving, using one or more service bridges that execute in the host operating system, a plurality of requests from the one or more virtual machines, wherein each service bridge is associated with a different virtual machine of the one or more virtual machines, and wherein each request is a request to interface with one or more external services; modifying, using a respective service bridge, each request to be processed by the one or more external services; and providing each modified request from the respective service bridge to the one or more external services, where the respective service bridge communicates with the one or more external services over a network.

Abstract translation: 方法，系统和装置，包括在计算机存储介质上编码的用于服务桥的计算机程序。 一方面，一种方法包括主机操作系统执行操作，包括：使用在所述主机操作系统中执行的一个或多个服务桥接器接收来自所述一个或多个虚拟机的多个请求，其中每个服务桥与 所述一个或多个虚拟机的不同虚拟机，并且其中每个请求是与一个或多个外部服务接口的请求; 使用相应的服务桥修改由所述一个或多个外部服务处理的每个请求; 以及将来自相应服务网桥的每个经修改的请求提供给所述一个或多个外部服务，其中所述相应服务网桥通过网络与所述一个或多个外部服务通信。

公开(公告)号：US20140373154A1

公开(公告)日：2014-12-18

申请号：US14473085

申请日：2014-08-29

Applicant: Google Inc.

Inventor： Eric R. Northup

IPC: G06F21/56

CPC classification number: G06F21/56 ,  G06F9/545 ,  G06F21/45 ,  G06F21/52 ,  G06F21/57 ,  G06F21/71 ,  G06F21/74

Abstract: Among other disclosed subject matter, a computer-implemented method includes initializing a first descriptor table and a second descriptor table. The first descriptor table is associated with a first permission level and the second descriptor table is associated with a second permission level that is different from the first permission level. The first descriptor table and the second descriptor table are associated with a hardware processor and initialized by an operating system kernel. The method also includes providing a memory address associated with the first descriptor table, in response to a descriptor table address request. The descriptor table address request is provided by a software process. The method also includes updating the second descriptor table, in response to an update request.

Abstract translation: 在其他公开的主题中，计算机实现的方法包括初始化第一描述符表和第二描述符表。 第一描述符表与第一权限级别相关联，并且第二描述符表与不同于第一许可级别的第二权限级别相关联。 第一描述符表和第二描述符表与硬件处理器相关联，并由操作系统内核初始化。 响应于描述符表地址请求，该方法还包括提供与第一描述符表相关联的存储器地址。 描述符表地址请求由软件进程提供。 该方法还包括响应于更新请求更新第二描述符表。

公开(公告)号：US09251341B1

公开(公告)日：2016-02-02

申请号：US14331786

申请日：2014-07-15

Applicant: Google Inc.

Inventor： Eric R. Northup

IPC: G06F7/00 ,  G06F21/55 ,  G06F9/455 ,  G06F17/30 ,  H04N7/16

CPC classification number: G06F21/554 ,  G06F9/45533 ,  G06F21/53 ,  G06F21/556 ,  H04L63/1441 ,  G06F21/55 ,  G06F21/552

Abstract: Among other disclosed subject matter, a computer-implemented method includes executing a plurality of virtual machines on a physical machine, wherein a first virtual machine of the plurality of virtual machines executes an encryption process. Execution of a hostile process that is configured to compromise the encryption process is detected, wherein the hostile process executes in a second virtual machine of the plurality of virtual machines. Migrating at least the second virtual machine to a different second physical machine based on the detection of the execution of the hostile process.

Abstract translation: 在其他公开的主题中，计算机实现的方法包括在物理机器上执行多个虚拟机，其中多个虚拟机中的第一虚拟机执行加密处理。 检测到被配置为危害加密过程的恶意进程的执行，其中所述敌对进程在所述多个虚拟机中的第二虚拟机中执行。 基于对恶意进程的执行的检测，至少将第二虚拟机迁移到不同的第二物理机。