公开(公告)号：US20160299851A1

公开(公告)日：2016-10-13

申请号：US14798483

申请日：2015-07-14

Applicant: VMWARE, INC.

Inventor： James S. Mattson, JR. ,  Rakesh Agarwal ,  Alok Nemchand Kataria ,  Wei Xu ,  Frederick Joseph Jacobs

IPC: G06F12/10

CPC classification number: G06F12/145 ,  G06F9/45558 ,  G06F21/78 ,  G06F2009/45587 ,  G06F2212/1052 ,  G06F2212/151

Abstract: A hypervisor provides a guest operating system with a plurality of protection domains, including a root protection domain and one or more secure protection domains, and mechanisms for controlling the transitions between the protection domains. The guest physical memory region of a secure protection domain, which is mapped to host physical memory by secure nested page tables, stores secure guest code and data, and guest page tables for the secure guest code. When executing secure guest code, the guest page tables stored in the secure protection domain region are used for guest virtual to guest physical address translations, and the secure nested page tables are used for guest physical to host physical address translations.

Abstract translation: 管理程序为客户机操作系统提供了多个保护域，包括根保护域和一个或多个安全保护域，以及用于控制保护域之间转换的机制。 通过安全嵌套页面表映射到主机物理内存的安全保护域的访客物理内存区域存储安全访客代码和数据，以及安全访客代码的访客页面表。 当执行安全访客代码时，存储在安全保护域区域中的访客页面表用于访客虚拟客户物理地址转换，并且安全嵌套页面表用于访客物理主机物理地址转换。

公开(公告)号：US09411979B2

公开(公告)日：2016-08-09

申请号：US14500754

申请日：2014-09-29

Applicant: VMware, Inc.

Inventor： Rakesh Agarwal

IPC: G06F7/04 ,  G06F12/00 ,  G06F17/30 ,  G06F21/62 ,  G06F9/445 ,  G06F21/53 ,  G06F9/455 ,  G06F21/52 ,  G06F21/12

CPC classification number: G06F21/6218 ,  G06F9/44505 ,  G06F9/455 ,  G06F21/12 ,  G06F21/52 ,  G06F21/53 ,  G06F21/62 ,  G06F21/6281

Abstract: In a computer system operable at more than one privilege level, an application is securely customized to use secret data without disclosing the secret data to a managing operating system. In operation, an integrity module executes at a higher privilege level than both the managing operating system and the application. After the managing operating system loads the application executable code, the integrity module injects the secret data directly into the instruction stream of the application executable code and then sets the memory location of the secret data as executable-only. As the application executes at the assigned privilege level, the instruction in the application directly accesses the secret data without performing any indirect memory access, thereby protecting the secret data from malicious attempts to read the secret data at a privilege level lower than the integrity module.

Abstract translation: 在可操作于多于一个特权级别的计算机系统中，安全地定制应用以使用秘密数据，而不向管理操作系统公开秘密数据。 在操作中，完整性模块在比管理操作系统和应用程序更高的特权级别执行。 在管理操作系统加载应用程序可执行代码之后，完整性模块将秘密数据直接注入到应用程序可执行代码的指令流中，然后将秘密数据的存储位置设置为可执行代码。 当应用程序在分配的权限级别执行时，应用程序中的指令直接访问秘密数据而不执行任何间接存储器访问，从而保护秘密数据免受恶意尝试以低于完整性模块的特权级别读取秘密数据。

公开(公告)号：US11379385B2

公开(公告)日：2022-07-05

申请号：US15444350

申请日：2017-02-28

Applicant: VMWARE, INC.

Inventor： Alok Nemchand Kataria ,  Wei Xu ,  Radu Rugina ,  Jeffrey W. Sheldon ,  James S. Mattson ,  Rakesh Agarwal ,  David Dunn

IPC: G06F12/14 ,  G06F21/50 ,  G06F9/455 ,  G06F9/46 ,  G06F21/74

Abstract: Mechanisms to protect the integrity of memory of a virtual machine are provided. The mechanisms involve utilizing certain capabilities of the hypervisor underlying the virtual machine to monitor writes to memory pages of the virtual machine. A guest integrity driver communicates with the hypervisor to request such functionality. Additional protections are provided for protecting the guest integrity driver and associated data, as well as for preventing use of these mechanisms by malicious software. These additional protections include an elevated execution mode, termed “integrity mode,” which can only be entered from a specified entry point, as well as protections on the memory pages that store the guest integrity driver and associated data.

公开(公告)号：US10922402B2

公开(公告)日：2021-02-16

申请号：US14550881

申请日：2014-11-21

Applicant: VMware, Inc.

Inventor： Wei Xu ,  Alok Nemchand Kataria ,  Rakesh Agarwal ,  Martim Carbone

IPC: G06F21/53 ,  G06F13/24

Abstract: In a computer system operable at more than one privilege level, an interrupt security module handles interrupts without exposing a secret value of a register to virtual interrupt handling code that executes at a lower privilege level than the interrupt security module. The interrupt security module is configured to intercept interrupts generated while executing code at lower privilege levels. Upon receiving such an interrupt, the interrupt security module overwrites the secret value of the register with an unrelated constant. Subsequently, the interrupt security module generates a virtual interrupt corresponding to the interrupt and forwards the virtual interrupt to the virtual interrupt handling code. Advantageously, although the virtual interrupt handling code is able to determine the value of the register and consequently the unrelated constant, the virtual interrupt handling code is unable to determine the secret value.

公开(公告)号：US09870324B2

公开(公告)日：2018-01-16

申请号：US14798483

申请日：2015-07-14

Applicant: VMWARE, INC.

Inventor： James S. Mattson, Jr. ,  Rakesh Agarwal ,  Alok Nemchand Kataria ,  Wei Xu ,  Frederick Joseph Jacobs

IPC: G06F12/08 ,  G06F12/14

CPC classification number: G06F12/145 ,  G06F9/45558 ,  G06F21/78 ,  G06F2009/45587 ,  G06F2212/1052 ,  G06F2212/151

Abstract: A hypervisor provides a guest operating system with a plurality of protection domains, including a root protection domain and one or more secure protection domains, and mechanisms for controlling the transitions between the protection domains. The guest physical memory region of a secure protection domain, which is mapped to host physical memory by secure nested page tables, stores secure guest code and data, and guest page tables for the secure guest code. When executing secure guest code, the guest page tables stored in the secure protection domain region are used for guest virtual to guest physical address translations, and the secure nested page tables are used for guest physical to host physical address translations.

公开(公告)号：US09398019B2

公开(公告)日：2016-07-19

申请号：US14500779

申请日：2014-09-29

Applicant: VMware, Inc.

Inventor： Rakesh Agarwal

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/102 ,  G06F9/45558 ,  G06F21/62 ,  G06F21/79 ,  G06F2009/45587 ,  H04L63/105

Abstract: In a computer system operable at more than one privilege level, confidential code is securely customized to use secret data to establish a code protection domain without disclosing the secret data to a managing operating system. In operation, a security module executes at a higher privilege level than both the managing operating system and the confidential code. After the managing operating system loads the executable of the confidential code, the security module injects the secret data directly into an authorization instruction and a verification instruction included in the confidential code and then sets both the authorization instruction and the verification instruction as executable-only. As the confidential code executes at the assigned privilege level, the authorization instruction and the verification instruction use the secret data to distinguish between unauthorized and authorized execution of the confidential code.

Abstract translation: 在可操作于多于一个特权级别的计算机系统中，安全地定制机密代码以使用秘密数据来建立代码保护域而不向管理操作系统公开秘密数据。 在操作中，安全模块在比管理操作系统和机密代码更高的特权级别执行。 在管理操作系统加载机密码的可执行文件之后，安全模块将秘密数据直接注入到机密码中的授权指令和验证指令中，然后将授权指令和验证指令两者都设置为可执行的。 由于秘密代码在分配的权限级别执行，授权指令和验证指令使用秘密数据来区分未经授权和授权执行的机密代码。