 METHOD, SYSTEM AND MEANS OF COMPUTER-READABLE STORAGE
专利摘要:
method, system, and computer-readable storage medium. The present invention relates to deployments to provide a platform adaptation layer that allows applications to run within a user-mode hardware-protected isolation container while utilizing host platform resources (130, 200) that reside outside the insulation container. the platform adaptation layer facilitates a system service request interaction between the application (110, 216) and the host platform (130, 200). as part of the facilitation, a secure services component (122) of the platform adaptation layer performs a security-relevant action. 公开号:BR112014014153B1 申请号:R112014014153-3 申请日:2012-12-04 公开日:2021-08-17 发明作者:Andrew A. Baumann;Galen C. Hunt;Marcus Peinado 申请人:Microsoft Technology Licensing, Llc; IPC主号:
专利说明:
BACKGROUND OF THE INVENTION [001] Conventional software applications have several operating system functions. An operating system can provide a set of application programming interfaces (APIs) in order to provide basic computing services such as task scheduling, memory allocation, virtual memory, device access, and so on. Additionally, an operating system can provide a rich feature set of APIs that provide additional operating system services such as graphical user interface (GUI) services, clipboard services, and the like. [002] Certain security-enabled processors are capable of providing a secure execution environment. Such security-enabled processors provide a protected memory space and security-enabled processors ensure that code and data stored in the protected memory space are inaccessible by code outside the protected memory space. The security-enabled processor provides well-defined input and output functions, hereafter called ports, that allow execution to pass between code within the protected memory space and code outside the environment. The security-enabled processor does not allow access to input or output devices or kernel-mode execution within the protected memory space. As a result, the protected memory areas of security-enabled processors are too restrictive to run conventional software applications. BRIEF SUMMARY [003] This summary is provided for the purpose of introducing simplified concepts of the present description, which are further described below in the Detailed Description. This summary is not intended to identify essential features of the claimed subject matter, nor is it intended for use in determining the scope of the subject matter claimed. [004] An application runs inside a user-mode hardware-protected isolation container (UMHPIC) provided by a security-enabled processor. A library operating system that runs inside UMHPIC as part of the application fulfills most operating system requests, which include high-level requests. A UMHPIC-aware platform adaptation layer (U-PAL) enables applications without special knowledge of UMHPIC to run inside UMHPIC while utilizing operating system resources that reside outside of UMHPIC. U-PAL includes a secure services component that runs within UMHPIC and ensures that task scheduling, file system interactions and resource allocations are properly managed on the part of the application. U-PAL includes a conversion component with a trusted portion that resides inside UMHPIC and an untrusted portion that runs in user mode in the runtime environment outside. The trusted thunk component passes system calls to the untrusted thunk component through a security-enabled processor-controlled output port. The untrusted translation component passes system call results from the operating system to the UMHPIC through a security-enabled processor-controlled input port. BRIEF DESCRIPTION OF THE FIGURES [005] The Detailed Description is established with reference to the attached Figures. In Figures, the leftmost digit(s) of a reference number identifies the Figure in which the reference number appears first. The use of the same reference numbers in different Figures indicates similar or identical items. [006] Figure 1 is a schematic diagram of a secure execution environment to run an application in a UMHPIC. [007] Figure 2 is a block diagram of an exemplary computing system usable to provide a secure execution environment according to modalities. [008] Figure 3 is a flowchart that shows an example process to provide security to an application running on a UMHPIC. [009] Figure 4 is a flowchart that shows an example process to facilitate a resource request interaction between an application that runs inside a UMHPIC and a host platform that runs outside of UMHPIC. [0010] Figure 5 is a flowchart that shows an example process to manage requests for execution and asynchronous notifications from a host platform. DETAILED DESCRIPTION OVERVIEW [0011] As discussed above, conventional software applications rely on a feature-rich set of operating system functions. The modalities of the present application enable an application that was not specifically written to run within a secure execution environment (an unmodified application) to run within a secure execution environment - hereinafter referred to as a secure isolation container by user-mode hardware (UMHPIC) - without trusting any of the code from outside the secure execution environment. While code outside of UMHPIC, such as a host operating system, can deny code inside UMHPIC service, code outside of UMHPIC cannot interfere with or peer into code execution inside UMHPIC. Running an unmodified conventional application inside a UMHPIC can usually involve trusting the "host" operating system to run outside of UMHPIC. An unmodified application typically relies on a host operating system for three reasons: first, conventional applications exploit varied and rich operating system services; second, an unmodified application is not configured to invoke the security-enabled processor-specific input and output ports to enable execution and data to be passed between UMHPIC and the outside execution environment; and third, the application depends on the correct functioning of the operating system for its security. The embodiments of the present Detailed Description also enable a restricted area environment, such as those described in U.S. patent application 12/834,895 ("ULTRA-LOW COST SANDBOXING FOR APPLICATION APPLIANCES"), to run within a UMHPIC. [0012] The embodiments described in this Detailed Description include a UMHPIC-aware platform adaptation layer (U-PAL) that resides partially within a UMHPIC and partially in the execution environment outside. U-PAL facilitates the system resource request interaction between an application running on UMHPIC and a host platform running outside of UMHPIC. And, as part of the facilitation, one or more security-relevant actions are taken. The security-relevant actions, among other things, enable the application to use the host platform to access resources even though the host platform runs outside of UMHPIC and is therefore "untrustworthy" code. [0013] In modalities, applications include a trusted library operating system within their UMHPIC; with the majority of operating system requests being fulfilled by the library operating system, which invokes the U-PAL services as needed; U-PAL, in turn, invokes the services of the host operating system. The trusted portion of U-PAL (that is, the portion that resides and runs within UMHPIC) presents a service interface to the application that runs within UMHPIC. The untrusted portion of U-PAL (that is, the portion that resides and runs in user mode outside of UMHPIC) interfaces with the operating system, such as through a system-provided platform adaptation layer (PAL) of host computer. [0014] The U-PAL includes a secure services component and a conversion component. The secure services component runs inside UMHPIC and is therefore a "trusted" component from an application perspective. The secure services component verifies that all system services, including task scheduling, file system interactions, and resource allocations are properly managed by the unmodified application, thereby enabling an unmodified host operating system. reliable. The conversion component includes both a trusted portion that resides inside UMHPIC and an untrusted portion that runs in user mode outside of UMHPIC. The conversion component provides the trusted portion of U-PAL which includes the secure services component, with access to host operating system functions that run outside of UMHPIC. The conversion component and the secure services component together allow an unmodified application, such as an application packaged with a library OS, to run inside a UMHPIC. [0015] The processes, systems and devices described in this document can be deployed in a number of ways. Exemplary deployments are provided below with reference to the following Figures. EXEMPLIFICATION ENVIRONMENT TO RUN AN UNMODIFIED APPLICATION ON A UMHPIC [0016] Figure 1 is a schematic diagram of a secure execution environment to run an application in a UMHPIC. Aspects of system 100 can be deployed on a variety of suitable computing device types that are capable of deploying a secure execution environment for an unmodified application. Suitable computing device or devices may include, or be part of, one or more personal computers, servers, server farms, data centers, special purpose computers, tablet computers, game consoles, smart phones, combinations thereof , or any other computing device(s) capable of storing and executing all or part of a secure execution environment to run an unmodified application. [0017] System 100 includes a security enabled processor 102 configured to instantiate a secure execution environment that includes a UMHPIC 104. The UMHPIC 104 resides in a protected memory area within user mode memory 106 or memory 108. Except through specific input and output ports provided by the security enabled processor 102 that enables codes running on the UMHPIC 104 to transfer execution and data into and out of the UMHPIC 104, with the codes and data stored on the UMHPIC 104 being inaccessible to codes outside of UMHPIC 104. [0018] Tasks exit UMHPIC 104 to return to unprotected memory via output ports. Output ports can be called directly, such as via a calling instruction, or indirectly, such as via a processor exception. The UMHPIC 104 can be protected by encryption mechanisms; for example, the security enabled processor 102 is configured to encrypt on write operations to the UMHPIC 104 and decrypt on read operations. Furthermore, the UMHPIC 104 can be traced with a cryptographic hash (either in-line or out-of-band) so that the security-enabled processor 102 can verify on read operations that the memory has not been altered. In other embodiments, the memory space in which the UMHPIC 104 resides can be on the same chip as the security-enabled processor 102, and the memory space can be segregated so that the security-enabled processor 102 can access it when running. enter through a gateway. In various embodiments, the security-enabled processor 102 can be deployed within a single chip, such as a system on chip (SOC), or can be deployed across a processor and additional system chip sets 100. [0019] An application 110 runs inside the UMHPIC 104. That is, the security enabled processor 102 runs the application 110 in such a way that, except through well-defined input and output ports described in more detail below, it prevents the codes runs outside the UMHPIC 104, including untrusted code 112 or the host operating system (OS) 114, interfere with or scour code or data inside the UMHPIC 104. For example, a task that runs code stored outside of the UMHPIC 104 does not can access data stored on the UMHPIC 104. The security enabled processor 102 can protect code and data within the UMHPIC from probing or interference through various techniques including, but not limited to, encrypting data as it leaves the processor, data signing to detect external interference, blocking direct memory access (DMA) operations from I/O devices, cache separation, or memory usage stored directly in the processor. This provides protection against untrusted code - that is, any code that runs outside the UMHPIC 104 - that stalks or interferes with the contents of the UMHPIC 104. [0020] Untrusted code 112 runs in user mode outside of UMHPIC. Security-enabled processor 102 executes untrusted code 112 in a way that prevents it from accessing code and data within UMHPIC 104. Multiple UMHPICs are possible and security-enabled processor 102 can execute untrusted code 112 on another UMHPIC . Even if run on another UMHPIC, untrusted code 112 is "untrusted" from the perspective of UMHPIC 104. On some security-enabled processors, UMHPICs can be nested: an inner UMPHIC is protected from code on the outer UMHPIC and all code outside the outside UMHPIC. In the case of nested UMHPICs, the outer UMHPIC code is not trusted by the inner UMHPIC; the codes and data from the inside UMHPIC cannot be interfered with or searched by codes from the outside UMHPIC. [0021] An initialization process - such as is described in the related patent application in US XXXXXX, concurrently filed, and which has the proxy reference number MS1-5267US - can be used to initialize the UMHPIC 104 in a manner that endows a customer system trusting that the UMHPIC 104 is established with the customer's trusted codes and data, and no trusted codes or data, thereby providing the customer system with confidence that the application 110 runs properly in the system 100 . [0022] The UMHPIC 104 can be instantiated in the context of a hosted computing service, such as a "cloud computing" service, in which a client system initializes the UMHPIC 104 in order to run the application 110 securely in the service of cloud computing. Thus, from the perspective of the client system, all system portions 100 outside of the UMHPIC 104 and the security enabled processor 102 are "untrusted." The embodiments of the present application enable application 110 to run within UMHPIC and still access operating system functions from an "untrusted" host operating system, such as host OS 114. [0023] In various embodiments, application 110 includes one or more subcomponents. In common embodiments, one or more of the application's subcomponents include a library operating system (OS) 116, which may be the same or similar to the isolated OS subsystems described in patent application No. 12/834,895, filed July 13 of 2010 and titled "ULTRALOW COST SANDBOXING FOR APPLICATION APPLIANCES". U.S. patent application 12/834,895 describes "application restricted areas" configured to run varied operating system elements (sometimes referred to as "library OS") within an isolated application process separate from other operating system elements. The restricted areas of application described in U.S. patent application 12/834,895 protect the host operating system from being intruded or scrutinized by the application, but do not necessarily protect the application from being meddling or scrutinized by the host operating system. The isolated OS subsystem described in U.S. patent application 12/834,895 provides an application with a rich set of APIs intended to directly provide the operating system functions that the application is designed to use. The isolated OS subsystem also uses a small subset of application programming interfaces (APIs) to communicate with a host operating system through an operating system's platform adaptation layer (PAL) in order to provide the application with basic computing services. Host PAL 118 may be the same or similar to the host PAL operating system described in U.S. patent application 12/834,895. Host PAL 118 may include in embodiments an intercept instruction. In alternative embodiments, host PAL 118 includes libraries that create high-level abstractions from the low-level abstractions of host OS 114. Collectively, host PAL 118 (if present) and host OS 114 are included in a host platform 130 . [0024] Library OS 116 can be configured to provide application 110 with a first subset of operating system services (such as, in a non-limiting example, the "rich" set of services described above), and call the OS host 114 to provide application 110 with a second subset of operating system services (such as, in a non-limiting example, the basic computational services described above). The embodiments of the present description are not limited to running applications, such as application 110, that are packaged with a library OS such as library OS 116. Host PAL 118 and/or library OS 116 are omitted in embodiments varied. In at least one embodiment, library OS 116 is omitted, and application 110 consists of a user-mode processor emulator that runs a virtual machine (which in turn can consist of an operating system and "guest" applications) . [0025] A UMHPIC-aware PAL (U-PAL) 120 resides partially within the UMHPIC 104, and partially in the unreliable portion of user mode memory 106. In various embodiments, the application 110 may be immuted for execution within the UMHPIC 104, and application 110, in its immutable version, is configured to interface directly with host platform 130 via a service interface provided by host platform 130. U-PAL 120 therefore facilitates request interaction of system resources between application 110 running on UMHPIC and one or more components of a host platform 130 running outside of UMHPIC. And, a secure services component 122 of the U-PAL 120 performs one or more security-relevant actions. The U-PAL 120 provides the application 110 with a service interface within the UMHPIC 104 that emulates the interface provided by the host platform 130. The portion of the U-PAL 120 that resides outside the UMHPIC 104 is configured to interface with the Host OS 114, such as via host PAL 118 via a platform interface. In alternative embodiments, host PAL 118 may be a subcomponent of U-PAL 120. In still other embodiments, such as those that omit library OS 116 and host PAL 118, U-PAL 120 emulates all or part of the interface service provided by host OS 114. For example, the U-PAL 120 can provide a partial or full set of rich APIs that application 110 is configured to use. [0026] The U-PAL 120 includes the secure services component 122 and a conversion component 124. The secure services component 122 resides entirely within the UMHPIC 104 and performs the security-relevant actions. The secure services component performs security-relevant actions such as validating identifiers returned by the host platform, validating memory allocations, ensuring that task scheduling adheres to expected semantics (eg mutex primitives do indeed provide mutexes) , validate results of varied calls made to host platform 130, update data structures necessary for such validations, encrypt data, protect data integrity through digital signatures or message authentication codes, protect data from replay attacks, and provide securely random numbers. Application 110 may be unmodified and not designed to run within UMHPIC 104 in an unreliable computing system. Thus, application 110 may have been designed assuming that the computing system on which it runs is reliable. Thus, application 110 is not necessarily configured to validate that host OS 114 behaves properly. But, because the computing system 100 cannot be trusted from the perspective of the UMHPIC 104, the host platform 130 is not supposed to behave properly. Thus, the secure services component 122 performs security-relevant actions that result in a virtual platform that behaves as expected and appropriately. [0027] In a non-limiting example, the secure services component 122 validates that interface identifiers returned by host platform 130 in response to API calls for device access made by application 110 and/or library OS 116 are suitable. For example, it can determine whether the interface identifiers are duplicates of interface identifiers provided earlier to application 110 and/or library OS 116. Such interface identifiers can be used to access devices such as I/O devices, network devices or other types of devices. In another non-limiting example, the secure services component 122 validates that memory allocations returned by host platform 130 are adequate. For example, it can ensure that a new memory allocation does not overwrite memory previously allocated to application 110. Such an overlapped memory allocation could cause application 110 to overwrite its own data unexpectedly, potentially causing it to it behaves in unpredictable ways. [0028] In another non-limiting example, the secure services component 122 is configured to protect data to be written to a file on a host platform 130 file system. messages and/or measures to protect against replay attacks, such as those described in patent application no. US 7,421,579, issued to England et al. on September 2, 2008 and entitled "Multiplexing a secure counter to implement second level secure counters"; U.S. patent application 7,065,607, addressed to England et al. on June 20, 2006 and entitled "System and method for implementing a counter"; and as described in "Memoir: Practical State Continuity for Protected Modules," by Bryan Parno, Jacob R. Lorch, John R. Douceur, James Mickens, and Jonathan M. McCune, and published in Proceedings of the IEEE Symposium on Security and Privacy, IEEE, May 2011. Application 110 itself can be configured to write data to a file system in an unprotected form due to the fact that application 110, as noted above, can be developed assuming the computing system on which it is performed to be reliable. Thus, when application 110 and/or library OS 116 address an API call to write data to the file system, secure services component 122 secures the data by application 110 before passing the secured data into a call to the host platform 130. The secure services component is also configured to unprotect and/or verify data read from the host platform, since the application 110 cannot be configured to receive protected data from the file system and once which cannot verify digital signatures or message authentication codes and may not check replay attacks. In another embodiment, the secure services component 122 can deploy all file system access using a secure virtual file system, which possibly uses encryption, digital signatures, message authentication codes, and or measures to prevent security attacks. reproduction; avoiding exposure of trusted filenames and metadata to the host platform 130. [0029] Application 110 can be configured to request task scheduling services from host platform 130. It would be possible, however, for a host platform with unreliable misbehavior 130 to schedule tasks in such a way as to cause application 110 is performed incorrectly. For example, if an application task 110 acquires a lock, a misbehaving operating system could allow another task to acquire the same lock, thereby causing the tasks to operate and lead to unpredictable results. Thus, the secure services component 122 may include a user-mode task scheduler configured to manage the scheduling of tasks by the application 110 and/or the library OS 116. Such a user-mode task scheduler cannot be It is requested, for example, if application 110 and library OS 116 have only one execution task. If application 110 and/or library OS 116 invokes a call to host functionality related to job scheduling, secure services component 122 may determine the call handling of job scheduling itself, rather than passing the same for the host platform 130. [0030] The conversion component 124 of the U-PAL 120 provides the ability to pass API calls from the secure services component 122 to the host platform 130. A trusted portion of the conversion component and the trusted conversion component 126 are run inside the UMHPIC 104 and are configured to regulate parameters associated with calls to the host platform 130, invoke an output port provided by the security enabled processor 102, and pass the regulated parameters to an unreliable conversion component 128. Thus, the component Reliable Translation Device 126 acts as a transport for calls from the secure services component 122 to the host platform 130. [0031] Trusted conversion component 126 also receives execution requests from host platform 130 and results of calls made to host platform 130 through an input port invoked by untrusted conversion component 128. The conversion component trusted 126 deregulates the varied parameters associated with those execution requests and results and passes them to the secure services component 122 for validation. [0032] The unreliable conversion component 128, also part of the conversion component 124, runs outside the UMHPIC 104. It is configured to override the parameters passed to it by the reliable conversion component 126 through the output port, and to make corresponding calls to host platform 130 (such as invoking operating system calls to host OS 114 through host PAL 118) by UMHPIC 104. Untrusted translation component 128 receives execution requests from host platform 130 and system call results, sets the corresponding parameters for the execution requests and results, invokes an input port, and passes such regulated components to the trusted conversion component 126. Thus, the untrusted conversion component 128 acts as a peer input for call results and execution requests from the host platform 130. [0033] In a common modality, the untrusted conversion component 128 runs in user mode outside of the UMHPIC 104 and can be invoked by the trusted conversion component 126 through an explicit output port. In an alternative embodiment, the untrusted conversion component 128 runs as a subcomponent of the host platform 130 and can be invoked from a system call or intercept instruction issued within the trusted conversion component 126. [0034] The conversion component 124 is configured to invoke the input and output functions of the security enabled processor 102, thereby allowing it to pass parameters and execution between the UMHPIC 104 and the external execution environment and vice versa . As noted elsewhere, application 110 may not be modified and may not recognize that it runs within UMHPIC 104, and therefore cannot be configured to invoke security enabled processor output ports 102 in order to pass calls to host platform 130. Likewise, host PAL 118 may also not be modified to provide support for an application running on UMHPIC 104, and therefore cannot be configured to invoke security-enabled processor input ports 102 for the purpose of passing execution requests and call results back to the application 110. Thus, the conversion component 124 provides the ability to invoke the input and output ports of the security enabled processor 102 by the application 110. and the host PAL 118. The secure services component 122 provides the ability to manage task execution, protect written application data for storage. unreliable processing and validate the behavior of the host platform 130 by the application 110 and take the corresponding security-relevant actions. Together, the conversion component 124 and the secure services component 122 enable the application 110 to run inside the UMHPIC 104 while still making use of system resources provided by the "untrusted" host OS 114. EXEMPLARY COMPUTING DEVICE TO PROVIDE A SAFE RUN ENVIRONMENT [0035] Figure 2 is a block diagram of an exemplary computing system usable to provide a secure execution environment according to the modalities. Computing system 200 can be configured as any suitable computing device capable of deploying a secure execution environment. According to varied non-limiting examples, suitable computing devices may include personal computers (PCs), servers, server farms, data centers, special purpose computers, tablet computers, game consoles, smart phones, combinations of themselves or any other computing device(s) capable of storing and executing all or part of the secure execution environment. [0036] In an exemplary configuration, computing system 200 comprises one or more processors 202 and memory 204. Processors 202 include one or more security-enabled processors that is the same or similar to security-enabled processor 102. Processors 202 may include one or more general purpose or special purpose processors other than a security enabled processor. Computer system 200 may also contain communication connection(s) 206 that allow communications with other miscellaneous systems. Computer system 200 may also include one or more input devices 208, such as a keyboard, mouse, pen, voice input device, touch input device, etc., and one or more input devices 210, such as such as a monitor, speakers, printer, etc. communicatively coupled to processor(s) 202 and memory 204. [0037] The memory 204 can store program instructions that are loadable and executable in the processor(s) 202, as well as data generated during the execution of, and/or usable in conjunction with, those programs. In the illustrated example, memory 204 stores an operating system 212, which provides basic system functionality of computer system 200 and, among other things, enables operation of the other programs and modules of computer system 200. Operating system 212 can be the same or similar to host OS 114. [0038] Memory portions 204 may be included within a UMHPIC as described elsewhere within this Detailed Description. Memory 204 can be split between memory on the same physical chip as the processor and memory on other chips. Memory 204 includes a U-PAL 214 which may be the same as or similar to U-PAL 120. Memory 204 includes an application 216 which may be the same or similar to application 110. Application 216 may include a library OS, as described elsewhere within this Detailed Description, configured to interface with a host PAL 218, which may be the same or similar to host PAL 118. Memory 204 includes untrusted codes 220, which may be the same or similar to host PAL 118. may be the same or similar to untrusted code 112. EXEMPLIFICATION OPERATIONS FOR THE EXECUTION OF AN APPLICATION IN A UMHPIC [0039] Figure 3 is a flowchart showing an example process 300 for providing security to an application, such as application 110, running on a UMHPIC, such as UMHPIC 104. In 302, an application runs inside the UMHPIC, as per is described elsewhere within this Detailed Description. [0040] At 304, a U-PAL, such as the U-PAL 120, facilitates a resource allocation request interaction between an application that runs inside UMHPIC and a host platform that runs outside UMHPIC. Facilitation may include passing requests from the application, and host platform outputs out and into UMHPIC, as described elsewhere within this Detailed Description. Facilitation may include invoking the input and output ports and adjusting the parameters as described elsewhere within this Detailed Description. Facilitation can include passing system resource requests, and receiving associated results from a host platform. [0041] At 306, a secure services component of the U-PAL, such as the secure services component 122, performs, as part of facilitation, a security-relevant action. Relevant security action may include, in varying modalities, encrypting application data associated with the system service request interaction; decrypt data associated with the system service request interaction for the application; maintain a data structure log to store information regarding system service request interaction; verify the accuracy of a resource allocation result that is provided by the host platform as part of the system service request interaction; check for overlapped memory allocation; determine whether the device identifier is a duplicate device identifier; perform task scheduling services, and so on, as described elsewhere within this Detailed Description. Other relevant safety actions can be performed without departing from the scope of this description. [0042] Figure 4 is a flowchart showing an example process 400 for facilitating a resource request interaction between an application that runs inside a UMHPIC and a host platform, such as host platform 130, runs outside of UMHPIC. In Figure 401, an application runs on UMHPIC. [0043] In 402, an application running on a UMHPIC issues a call to a system service. UMHPIC is provided by a security-enabled processor, such as security-enabled processor 102. The security-enabled processor provides at least one output port to pass execution out of UMHPIC and at least one input port to pass to running into UMHPIC. The call can come from any subcomponent of the application that includes a library OS, such as library OS 116, and the application and any subcomponents, including library OS, can be immuted to run inside UMHPIC and may not have native ability to offload execution out of UMHPIC. [0044] At 404, a secure services component of a U-PAL, such as the secure services component 122 of the U-PAL 120, receives the call from the application. The secure services component runs inside UMHPIC. [0045] In 405, the U-PAL can perform operations to mask data in call parameters before they are sent to the host platform. For example, U-PAL can encrypt data that will be written to persistent storage by the host platform. [0046] In 406, a reliable translation component of a U-PAL, such as the reliable translation component 126 of the U-PAL 120, regulates the parameters of the call. For some parameters, such as for scaled values, the regulation operation can be a null operation. For other parameters, the regulation operation can be more complex. For example, if the call is to write a buffer to disk, the trusted conversion component can allocate a temporary buffer in unprotected memory outside the protected memory area, copy the buffer contents in the protected memory area into the temporary buffer in unprotected memory and update the buffer pointer in the call parameters to point to the temporary buffer. In another example, a parameter might include a data structure endowed with pointers, and the reliable conversion component might serialize it into a temporary buffer. [0047] At 408, the trusted conversion component invokes a UMHPIC output port provided by the security-enabled processor to transfer execution to the codes of an untrusted conversion component, such as the untrusted conversion component 128 of the U -PAL 120, run outside of UMHPIC. [0048] At 410, the unreliable conversion component deregulates the call parameters. For some parameters, such as for scaled values, the non-regulation operation may be a null operation. For other parameters, the non-regulation operation can be more complex. For example, the non-adjusting operation can take away a data structure provided with serial pointers. Varied modalities can include optimizations and/or extra coordination between an unreliable conversion component and a reliable conversion component to improve performance. Various optimizations for smoothing and deregulating can be used. [0049] In 412, the untrusted conversion component issues the call to a host platform, such as host platform 130. In 414, the host platform fulfills the requested system service. [0050] In 416, when execution returns from the host platform to the untrusted conversion component, the untrusted component regulates the results of the call. For some results, such as for scaled values, the adjustment operation can be a null operation. For other results, the regulation operation can be more complex. For example, the trim operation places a data structure with pointers in series. [0051] In 418, the untrusted translation component invokes a UMHPIC input port provided by the security-enabled processor to transfer execution to the codes of the trusted translation component that runs inside the UMHPIC. [0052] At 420, the reliable conversion component deregulates the call results. For some results, such as for scaled values, the non-regulation operation may be a null operation. For other results, the non-regulation operation can be more complex. For example, if the call is to read a buffer from disk, the reliable conversion component can copy the data from a temporary buffer in unprotected memory to a buffer in the protected memory area and update the buffer pointer in the parameters to point to the final buffer. In another example, a parameter might include a data structure with pointers, and the reliable conversion component might take it out of the box. [0053] At 421, the secure services component can decrypt data read from storage provided by the host platform and can also verify digital signatures or message authentication codes to verify data integrity. You can also perform checks designed to protect against replay attacks. These steps can also be applied, for example, to virtual memory pages as they are read from page files on a hard disk. As noted elsewhere within this Detailed Description, the secure services component protects data written to the host storage system by the application running on UMHPIC. This is due to the fact that the host platform and its storage services, which include any file system provided by the host platform, are not trusted by applications running on UMHPIC. But the application itself may not be modified to run on UMHPIC and can therefore be configured to write data to a file system without protecting it. Thus, data read from the file system is decrypted and/or verified by the secure services component due to the fact that the application is not configured to receive secured data and may not be equipped to decrypt and verify the same. In embodiments, decryption step 421 may be combined with deregulation step 420 as an optimization. [0054] In 422, the secure services component checks the returned results against record data structures to verify that the results are consistent and trustworthy. In modalities, the call may have been a request for a system resource or service, and the secure services component verifies that the result returned in response to the system request is valid for the requested resource or service. The system resource can be, in various modalities, an allocated memory resource, a network resource, an insert/send resource, or other system resource. [0055] The secure services component can use a registry data structure to verify the issuance of any untrusted services from the host platform. For example, the registry data structure can enable the secure services component to validate that interface identifiers and memory allocations from the host platform are its own. In modalities where the result is an interface or resource identifier, the secure services component verifies that the returned interface or resource identifier is not a duplicate of a previously provided resource identifier in order to prevent identifier replay attacks. In modalities where the result is an indication of memory allocated to the application, the secure services component checks that the allocated memory was not previously allocated to the application (which can cause the application to overwrite its own data and behave in different ways unexpected), is accessible to the application and does not lie within a reserved or invalid address range. In common embodiments, record data structures include structures for storing data related to one or more memory allocations, resource identifiers, and task identifiers. [0056] At 424, if the check against call results record data structures determines that the results are valid and therefore can be trusted, then execution proceeds. [0057] At 426, if the check result at 422 includes that one or more of the results are invalid, then the secure services component returns a failure result to the application. In some embodiments, the failure result is an error code relevant to that service request; for example, a well-known "disk read error" results in a disk read service request. In some embodiments, the failure can be delivered to the application as a catastrophic failure that causes the application to terminate immediately. [0058] At 428, if the verification result at 422 includes that the results are valid, the secure services component updates the registry data structures as appropriate for the type of service request. For example, if the service request were to allocate a new memory region, the secure services component might update a memory allocation table; the secure services component can also issue instructions to the security-enabled processor to add the new memory region to the UMPHIC's protected memory area. [0059] At 430, the secure services component provides the successful results of the call to the application, which continues its execution. [0060] Figure 5 is a flowchart showing an example process 500 for handling requests for execution and/or asynchronous event notifications from a host platform, such as host platform 130. In 502, an unreliable conversion component, such as the untrusted translation component 128, receives an asynchronous execution request or notification from a host platform, such as host OS 114 or host PAL 118. Varied well-defined parameters accompany the asynchronous requests and notifications. [0061] In 504, the untrusted conversion component regulates the parameters that accompany requests and notifications. That is, the untrusted conversion component transforms the parameters to make them suitable to be passed to a UMHPIC, such as UMHPIC 104, via an input port to a process that runs inside UMHPIC. [0062] In 506, the untrusted conversion component invokes a security-enabled processor-provided input port to pass the regulated parameters associated with requests and notifications to UMHPIC. And in 508, a trust conversion component that runs inside UMHPIC, such as trust conversion component 126, receives the regulated parameters through the input port. [0063] At 510, the reliable conversion component deregulates the parameters received from the unreliable conversion layer. Unthreading the parameters involves transforming the throttled parameters to recreate the execution request or asynchronous notification. At 512, the trusted conversion component passes the unregulated parameters to a secure services component that runs within UMHPIC, such as the secure services component 122. [0064] At 514, the secure services component performs security-relevant actions. The same actions can include checking that the execution request or asynchronous notification provided by the host platform is valid. [0065] In 516, the secure services component passes the execution request or asynchronous notification to the application and/or a library OS running on UMHPIC. [0066] Figures 3 to 5 depict flowcharts that show exemplary processes in accordance with varied modalities. The operations of these processes are illustrated in individual blocks and summarized in reference to those blocks. The same processes are illustrated as logical flowcharts, whose each operation can represent a set of operations that can be implemented in hardware, software or a combination thereof. In the context of software, operations represent computer-executable instructions stored on one or more computer storage media that, when executed on one or more processors, activate the one or more processors to perform the recited operations. Generally, computer-executable instructions include routines, programs, objects, modules, components, data structures, and the like that perform particular functions or implement particular abstract data types. The order in which the operations are described is not intended to be interpreted as a limitation and any number of the operations described can be combined in any order, separated into sub operations and/or performed in parallel to implement the process. Processes under various embodiments of the present description may include only some or all of the operations depicted in the logical flow chart. COMPUTER-READABLE MEDIA [0067] Depending on the configuration and the type of computing device used, the memory 204 of the computing system 200 in Figure 2 may include a volatile memory (such as random access memory (RAM)) and/or a non-volatile memory ( such as read-only memory (ROM), flash memory, etc.). Memory 204 may also include additional removable storage and/or non-removable storage that includes, but is not limited to, flash memory, magnetic storage, optical storage, and/or tape storage that can provide non-volatile storage. of computer readable instructions, data structures, program modules and other data for computer system 200. [0068] Memory 204 is an example of computer readable media. Computer-readable media includes at least two types of computer-readable media, called computer storage media and communication media. [0069] Computer storage media include volatile and non-volatile, removable and non-removable media deployed in any process or technology for storing information such as computer readable instructions, data structures, program modules or other data. Computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM). ), read-only memory (ROM), read-only programmable memory for electrically erasing (EEPROM), flash memory or other memory technology, read-only memory on compressed disk (CD-ROM), digital versatile disks (DVD) or other optical storage, magnetic cassette tapes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information for access by a computing device. [0070] In contrast, communication media may incorporate computer readable instructions, data structures, program modules or other data into a modulated data signal, such as a conducting wave, or other transmission mechanism. As defined herein, computer storage media does not include communication media. CONCLUSION [0071] Although the description uses language that is specific to structural features and/or methodological age, the invention is not limited to the specific features or age described. Alternatively, specific features and age are disclosed as illustrative ways to implement the invention.
权利要求:
Claims (9) [0001] 1. Method (300) comprising: running (302) an application in a UMHPIC user-mode hardware-protected isolation container (104), the UMHPIC (104) protected by a security enabled processor (102) that provides by the minus one output port for passing an execution out of UMHPIC (104) and one input port for returning an execution to UMHPIC (104); transmitting a system service request interaction from the application, and results of a host platform to and from UMHPIC (104) through a UMHPIC-compatible platform adaptation layer running on UMHPIC (104) and on one or more untrusted host platform components (130) running outside of UMHPIC (104) ; and perform (306), through a UMHPIC-aware platform adaptation layer secure services component, a security-relevant action; characterized by the fact that a resource allocation result provided as part of the security-relevant action includes a indication of memory resources and where checking the accuracy of the result of resource allocation includes a check for overlapping memory allocations. [0002] 2. Method (300) according to claim 1, characterized in that the relevant security action includes encrypting data that is of the application and that is associated with the system service request interaction. [0003] 3. Method (300) according to claim 1, characterized in that the security-relevant action includes maintaining a record data structure to store information regarding the system service request interaction. [0004] 4. A system (200) comprising: one or more processors (102, 202) including a security-enabled processor (102) configured to provide at least one input port and an output port for passing to and receiving execution of respectively, a user-mode hardware-protected isolation container, UMHPIC (104); a memory (204) that includes the UMHPIC (104); and a UMHPIC-aware platform adaptation layer executable by the security-enabled processor (102), at least partially within the UMHPIC (104), for transmitting a system service request interaction between an application running on the UMHPIC (104) and one or more untrusted components of a host platform running outside the UMHPIC (104), the UMHPIC-aware platform adaptation layer (104) including: a secure services component (122) executable by the security enabled processor (102) inside UMHPIC (104) and one or more untrusted host platform components run outside UMHPIC to perform a security-relevant action as part of the passing system service request interaction; characterized by the fact that an allocation result of resources provided as part of the relevant security action include an indication of memory resources and where to check the accuracy of the file. The result of resource allocation includes a check for overlapping memory allocations. [0005] 5. System (200), according to claim 4, characterized in that the system service request interaction is a resource allocation request and the relevant security action includes checking the accuracy of a result of the allocation of resources. resources that is provided by the host platform as part of the system service request interaction. [0006] 6. System (200), according to claim 4, characterized in that the relevant security action includes performing task scheduling services. [0007] 7. A computer-readable storage medium (108, 204) that stores a method comprising the steps of: running an application in a UMHPIC user-mode hardware-protected isolation container, the UMHPIC protected by a security-enabled processor that provides at least one output port to pass an execution out of UMHPIC and an input port to return an execution to UMHPIC; transmit a system service request interaction from the application, and results from a host platform to UMHPIC (304) through a UMHPIC-compatible platform adaptation layer running on UMHPIC (104) and on one or more untrusted host platform components running outside of UMHPIC (104); and perform (306), through a secure UMHPIC-aware platform adaptation layer services component on behalf of the application as part of the passing of the system resource request interaction, a security-relevant action; characterized by the fact that a resource allocation result provided as part of the security-relevant action includes an indication of memory resources and where checking the accuracy of the resource allocation result includes a check of overlapping memory allocations. [0008] 8. Computer-readable storage medium (108, 204) according to claim 7, characterized in that the interaction of the system service request includes a resource allocation request and that the security-relevant action includes checking the accuracy of a resource allocation result provided by the host platform (130) as part of the system service request interaction. [0009] 9. Computer-readable storage medium (108, 204) according to claim 8, characterized in that the resource allocation result includes a device identifier and in which the verification of the accuracy of the resource allocation result includes determining whether the device identifier is a duplicate device indicator.
类似技术:
公开号 | 公开日 | 专利标题 BR112014014153B1|2021-08-17|METHOD, SYSTEM AND MEANS OF COMPUTER-READABLE STORAGE US9989043B2|2018-06-05|System and method for processor-based security US9846787B2|2017-12-19|System and method for implementing a trusted dynamic launch and trusted platform module | using secure enclaves Criswell et al.2014|Virtual ghost: Protecting applications from hostile operating systems KR20170067740A|2017-06-16|Protecting application secrets from operating system attacks EP2207121B1|2013-03-20|Protecting content on virtualized client platforms KR102255767B1|2021-05-27|Systems and methods for virtual machine auditing US10929537B2|2021-02-23|Systems and methods of protecting data from malware processes US9311475B2|2016-04-12|Trusted execution of binaries and modules US9398019B2|2016-07-19|Verifying caller authorization using secret data embedded in code Wan et al.2020|Rustee: developing memory-safe arm trustzone applications US11269992B2|2022-03-08|Systems and methods for hypervisor-based protection of code US20200134171A1|2020-04-30|System and method for providing secure execution environments using virtualization technology US20180341529A1|2018-11-29|Hypervisor-based secure container US20210132968A1|2021-05-06|System and method for implementing trusted execution environment on pci device
同族专利:
公开号 | 公开日 EP2791857A4|2015-06-03| JP6083097B2|2017-02-22| JP2015500543A|2015-01-05| MX2014007102A|2014-07-28| US20130152209A1|2013-06-13| IN2014CN03961A|2015-10-23| CN103136468A|2013-06-05| MX345408B|2017-01-30| WO2013090044A1|2013-06-20| EP2791857B1|2019-08-07| KR102073433B1|2020-02-04| CN103136468B|2016-08-03| CA2857586C|2019-04-23| RU2621001C2|2017-05-30| KR20140101367A|2014-08-19| EP2791857A1|2014-10-22| AU2012352754A1|2014-07-03| US9389933B2|2016-07-12| BR112014014153A2|2017-06-13| AU2012352754B2|2017-10-19| CA2857586A1|2013-06-20| RU2014123659A|2015-12-20|
引用文献:
公开号 | 申请日 | 公开日 | 申请人 | 专利标题 US4874164A|1986-07-18|1989-10-17|Commodore-Amiga, Inc.|Personal computer apparatus for block transfer of bit-mapped image data| US5819091A|1994-12-22|1998-10-06|Arendt; James Wendell|User level control of degree of client-side processing| US5754830A|1996-04-01|1998-05-19|Openconnect Systems, Incorporated|Server and web browser terminal emulator for persistent connection to a legacy host system and method of operation| US5815686A|1996-09-12|1998-09-29|Silicon Graphics, Inc.|Method and apparatus for address space translation using a TLB| US5926631A|1997-08-15|1999-07-20|International Business Machines Corporation|Network computer emulator systems, methods and computer program products for personal computers| CA2318926A1|1998-01-22|1999-07-29|Intelogis, Inc.|Method and apparatus for universal data exchange gateway| US6721288B1|1998-09-16|2004-04-13|Openwave Systems Inc.|Wireless mobile devices having improved operation during network unavailability| US7136645B2|1998-10-09|2006-11-14|Netmotion Wireless, Inc.|Method and apparatus for providing mobile and other intermittent connectivity in a computing environment| US6546425B1|1998-10-09|2003-04-08|Netmotion Wireless, Inc.|Method and apparatus for providing mobile and other intermittent connectivity in a computing environment| US7882247B2|1999-06-11|2011-02-01|Netmotion Wireless, Inc.|Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments| US7293107B1|1998-10-09|2007-11-06|Netmotion Wireless, Inc.|Method and apparatus for providing mobile and other intermittent connectivity in a computing environment| US8060656B2|1998-10-09|2011-11-15|Netmotion Wireless, Inc.|Method and apparatus for providing mobile and other intermittent connectivity in a computing environment| US6357003B1|1998-10-21|2002-03-12|Silicon Graphics, Inc.|Advanced firmware boot sequence x86 computer system that maintains legacy hardware and software compatibility| US6578054B1|1999-10-04|2003-06-10|Microsoft Corporation|Method and system for supporting off-line mode of operation and synchronization using resource state information| US6668376B1|2000-01-07|2003-12-23|Ricoh Company, Ltd.|System and method for automatically loading a device driver| US7287259B2|2000-04-24|2007-10-23|Microsoft Corporation|Isolating assembly versions for binding to application programs| US6665731B1|2000-05-16|2003-12-16|Intel Corporation|Method for remotely accessing component management information| US6760815B1|2000-06-02|2004-07-06|Sun Microsystems, Inc.|Caching mechanism for a virtual heap| US6865591B1|2000-06-30|2005-03-08|Intel Corporation|Apparatus and method for building distributed fault-tolerant/high-availability computed applications| US6986052B1|2000-06-30|2006-01-10|Intel Corporation|Method and apparatus for secure execution using a secure memory partition| US6813670B1|2000-09-26|2004-11-02|Microsoft Corporation|Automatic server-side plug-and-play without user intervention| WO2002059773A1|2000-12-04|2002-08-01|Thinkshare Corp.|Modular distributed mobile data applications| US6832273B2|2000-12-21|2004-12-14|Microsoft Corporation|System and method to specify extended configuration descriptor information in USB devices| US20030037237A1|2001-04-09|2003-02-20|Jean-Paul Abgrall|Systems and methods for computer device authentication| US6931429B2|2001-04-27|2005-08-16|Left Gate Holdings, Inc.|Adaptable wireless proximity networking| US20050198379A1|2001-06-13|2005-09-08|Citrix Systems, Inc.|Automatically reconnecting a client across reliable and persistent communication sessions| US6876996B2|2001-11-14|2005-04-05|Sun Microsystems, Inc.|Method and apparatus for using a shared library mechanism to facilitate sharing of metadata| US6981268B2|2001-12-05|2005-12-27|Microsoft Corporation|System and method for persisting and resolving application assembly binds| US7185359B2|2001-12-21|2007-02-27|Microsoft Corporation|Authentication and authorization across autonomous network systems| US7275105B2|2002-01-16|2007-09-25|Laszlo Systems, Inc.|Enabling online and offline operation| KR100444996B1|2002-02-08|2004-08-21|삼성전자주식회사|Method for installing method and mending device driver automatically through internet and system thereof| US7577722B1|2002-04-05|2009-08-18|Vmware, Inc.|Provisioning of computer systems using virtual machines| US6954852B2|2002-04-18|2005-10-11|Ardence, Inc.|System for and method of network booting of an operating system to a client computer using hibernation| US7676538B2|2002-05-02|2010-03-09|Bea Systems, Inc.|Systems and methods for application view transactions| US8255548B2|2002-06-13|2012-08-28|Salesforce.Com, Inc.|Offline web services API to mirror online web services API| US9171049B2|2002-06-13|2015-10-27|Salesforce.Com, Inc.|Offline simulation of online session between client and server| US7421579B2|2002-06-28|2008-09-02|Microsoft Corporation|Multiplexing a secure counter to implement second level secure counters| US7065607B2|2002-06-28|2006-06-20|Microsoft Corporation|System and method for implementing a counter| US20040015537A1|2002-07-15|2004-01-22|Richard Doerksen|Handheld client framework system| US7484208B1|2002-12-12|2009-01-27|Michael Nelson|Virtual machine migration| US7536688B2|2003-02-28|2009-05-19|Azul Systems|Segmented virtual machine| US7509644B2|2003-03-04|2009-03-24|Secure 64 Software Corp.|Operating system capable of supporting a customized execution environment| US7788669B2|2003-05-02|2010-08-31|Microsoft Corporation|System for isolating first computing environment from second execution environment while sharing resources by copying data from first portion to second portion of memory| US7530103B2|2003-08-07|2009-05-05|Microsoft Corporation|Projection of trustworthiness from a trusted environment to an untrusted environment| US7383537B2|2003-08-20|2008-06-03|Microsoft Corporation|Debugging an application that employs rights-managed content| US7519814B2|2003-09-15|2009-04-14|Trigence Corp.|System for containerization of application sets| US7774762B2|2003-09-15|2010-08-10|Trigence Corp.|System including run-time software to enable a software application to execute on an incompatible computer platform| US20080222160A1|2003-09-15|2008-09-11|Macdonald Craig|Method and system for providing a program for execution without requiring installation| US20050076186A1|2003-10-03|2005-04-07|Microsoft Corporation|Systems and methods for improving the x86 architecture for processor virtualization, and software systems and methods for utilizing the improvements| US20050091226A1|2003-10-23|2005-04-28|Yun Lin|Persistent caching directory level support| US7441011B2|2003-10-23|2008-10-21|Microsoft Corporation|Truth on client persistent caching| US7496768B2|2003-10-24|2009-02-24|Microsoft Corporation|Providing secure input and output to a trusted agent in a system with a high-assurance execution environment| US20050108171A1|2003-11-19|2005-05-19|Bajikar Sundeep M.|Method and apparatus for implementing subscriber identity module capabilities in an open platform| US20050177635A1|2003-12-18|2005-08-11|Roland Schmidt|System and method for allocating server resources| US7272782B2|2003-12-19|2007-09-18|Backweb Technologies, Inc.|System and method for providing offline web application, page, and form access in a networked environment| JP2005227995A|2004-02-12|2005-08-25|Sony Corp|Information processor, information processing method and computer program| US7444621B2|2004-02-20|2008-10-28|Microsoft Corporation|Method and system for providing a common operating system| US7444337B2|2004-03-09|2008-10-28|Ntt Docomo, Inc.|Framework and associated apparatus for the adaptive replication of applications with server side code units| US7940932B2|2004-04-08|2011-05-10|Texas Instruments Incorporated|Methods, apparatus, and systems for securing SIM personalization and other data on a first processor and secure communication of the SIM data to a second processor| US7574709B2|2004-04-30|2009-08-11|Microsoft Corporation|VEX-virtual extension framework| US7584502B2|2004-05-03|2009-09-01|Microsoft Corporation|Policy engine and methods and systems for protecting data| US20060005047A1|2004-06-16|2006-01-05|Nec Laboratories America, Inc.|Memory encryption architecture| US7769720B2|2004-06-16|2010-08-03|Hewlett-Packard Development Company, L.P.|Systems and methods for migrating a server from one physical platform to a different physical platform| US7587755B2|2004-07-02|2009-09-08|Citrix Systems, Inc.|System and method for executing interactive applications with minimal privileges| US9083765B2|2004-07-02|2015-07-14|Oracle International Corporation|Systems and methods of offline processing| EP2744175B1|2004-07-23|2018-09-05|Citrix Systems, Inc.|Systems and methods for optimizing communications between network nodes| US20090024757A1|2004-07-30|2009-01-22|Proctor David W|Automatic Protocol Determination For Portable Devices Supporting Multiple Protocols| US7613862B2|2004-08-10|2009-11-03|Intel Corporation|Embedded driver for bus-connected device| EP1811387A4|2004-08-25|2016-04-13|Nec Corp|Information communication device, and program execution environment control method| US8332653B2|2004-10-22|2012-12-11|Broadcom Corporation|Secure processing environment| US20060161563A1|2004-11-18|2006-07-20|Besbris David G|Service discovery| US9450966B2|2004-11-29|2016-09-20|Kip Sign P1 Lp|Method and apparatus for lifecycle integrity verification of virtual machines| US7721138B1|2004-12-28|2010-05-18|Acronis Inc.|System and method for on-the-fly migration of server from backup| US20060156418A1|2005-01-10|2006-07-13|Ibm Corporation|Method and apparatus for preventing unauthorized access to data| US20060161982A1|2005-01-18|2006-07-20|Chari Suresh N|Intrusion detection system| US9525666B2|2005-01-31|2016-12-20|Unisys Corporation|Methods and systems for managing concurrent unsecured and cryptographically secure communications across unsecured networks| US7996493B2|2005-03-10|2011-08-09|Microsoft Corporation|Framework for managing client application data in offline and online environments| US7496495B2|2005-05-12|2009-02-24|Microsoft Corporation|Virtual operating system device communication relying on memory access violations| US7685593B2|2005-05-12|2010-03-23|Microsoft Corporation|Systems and methods for supporting multiple gaming console emulation environments| US7363463B2|2005-05-13|2008-04-22|Microsoft Corporation|Method and system for caching address translations from multiple address spaces in virtual machines| US20060294518A1|2005-06-28|2006-12-28|Richmond Michael S|Method, apparatus and system for a lightweight virtual machine monitor| US7844442B2|2005-08-16|2010-11-30|Exent Technologies, Ltd.|System and method for providing a remote user interface for an application executing on a computing device| US20070283324A1|2005-08-30|2007-12-06|Geisinger Nile J|System and method for creating programs that comprise several execution layers| US20070074191A1|2005-08-30|2007-03-29|Geisinger Nile J|Software executables having virtual hardware, operating systems, and networks| US7523323B2|2005-09-15|2009-04-21|Intel Corporation|Method and apparatus for quick resumption| US7703081B1|2005-09-22|2010-04-20|Symantec Corporation|Fast system call hooking on x86-64 bit windows XP platforms| US8074231B2|2005-10-26|2011-12-06|Microsoft Corporation|Configuration of isolated extensions and device drivers| US7836303B2|2005-12-09|2010-11-16|University Of Washington|Web browser operating system| US7447896B2|2005-12-12|2008-11-04|Microsoft Corporation|OS mini-boot for running multiple environments| US8539481B2|2005-12-12|2013-09-17|Microsoft Corporation|Using virtual hierarchies to build alternative namespaces| US20070174910A1|2005-12-13|2007-07-26|Zachman Frederick J|Computer memory security platform| CN101346727A|2005-12-27|2009-01-14|日本电气株式会社|Program execution control method, device, and execution control program| EP1811421A1|2005-12-29|2007-07-25|AXSionics AG|Security token and method for authentication of a user with the security token| US7627728B1|2005-12-29|2009-12-01|Symantec Operating Corporation|System and method for efficient generation of application snapshots| US20070169116A1|2006-01-18|2007-07-19|Dell Products L.P.|Method and system for automated installation of system specific drivers| US20070174429A1|2006-01-24|2007-07-26|Citrix Systems, Inc.|Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment| US7743026B2|2006-01-31|2010-06-22|Microsoft Corporation|Redirection to local copies of server-based files| WO2007109921A1|2006-03-28|2007-10-04|Intel Corporation|Methods and apparatus to implement annotation based thunking| US7913252B2|2006-04-11|2011-03-22|Installfree, Inc.|Portable platform for executing software applications in a virtual environment| US7747785B2|2006-04-14|2010-06-29|Microsoft Corporation|Instant messaging plug-ins| US8104041B2|2006-04-24|2012-01-24|Hewlett-Packard Development Company, L.P.|Computer workload redistribution based on prediction from analysis of local resource utilization chronology data| US8117554B1|2006-04-25|2012-02-14|Parallels Holdings, Ltd.|Seamless integration of non-native widgets and windows with dynamically scalable resolution into native operating system| US7725305B2|2006-06-08|2010-05-25|Microsoft Corporation|Partial virtualization on computing device| US7812985B2|2006-06-09|2010-10-12|Kabushiki Kaisha Toshiba|System and method for rerouting of document processing jobs| US20080016339A1|2006-06-29|2008-01-17|Jayant Shukla|Application Sandbox to Detect, Remove, and Prevent Malware| US20080005472A1|2006-06-30|2008-01-03|Microsoft Corporation|Running applications from removable media| US7644264B1|2006-10-17|2010-01-05|Symantec Corporation|Method and system for creating and deploying disk images| US20080127182A1|2006-11-29|2008-05-29|Newport William T|Managing Memory Pages During Virtual Machine Migration| US8171502B2|2006-11-29|2012-05-01|Sony Ericsson Mobile Communications Ab|Methods, devices and computer program products for automatically installing device drivers from a peripheral device onto a host computer| US8452853B2|2007-03-05|2013-05-28|International Business Machines Corporation|Browser with offline web-application architecture| WO2008111052A2|2007-03-09|2008-09-18|Ghost, Inc.|A virtual file system for the web| US8037039B2|2007-04-20|2011-10-11|Microsoft Corporation|Runtime class database operation| US20080276012A1|2007-05-04|2008-11-06|Joe Mesa|Driver Loading via a PnP Device| US8239959B2|2007-05-09|2012-08-07|International Business Machines Corporation|Method and data processing system to prevent manipulation of computer systems| US8875266B2|2007-05-16|2014-10-28|Vmware, Inc.|System and methods for enforcing software license compliance with virtual machines| ITRM20070347A1|2007-06-21|2008-12-22|Space Software Italia S P A|METHOD AND SYSTEM FOR THE INTERACTION AND COOPERATION OF SENSORS, ACTUATORS AND ROBOTS| US20090064196A1|2007-08-31|2009-03-05|Microsoft Corporation|Model based device driver code generation| US20090094337A1|2007-10-08|2009-04-09|Eric Wilfred Bruno Dias|Method of accessing web e-mail off-line| CN100498816C|2007-11-19|2009-06-10|南京大学|Reference monitor implementing method of high safety grade operating system| US8505029B1|2007-11-26|2013-08-06|Adobe Systems Incorporated|Virtual machine communication| JP4740926B2|2007-11-27|2011-08-03|フェリカネットワークス株式会社|Service providing system, service providing server, and information terminal device| EP2238535A4|2007-12-20|2011-03-09|Virtual Computer Inc|Virtual computing management systems and methods| US8671404B2|2008-02-12|2014-03-11|Red Hat, Inc.|Distributing and managing virtual machines| US8156503B2|2008-02-12|2012-04-10|International Business Machines Corporation|System, method and computer program product for accessing a memory space allocated to a virtual machine| US20090210871A1|2008-02-20|2009-08-20|Zak Dechovich|System and method for software application migration| US7971049B2|2008-03-31|2011-06-28|Symantec Corporation|Systems and methods for managing user configuration settings| US8782604B2|2008-04-11|2014-07-15|Oracle International Corporation|Sandbox support for metadata in running applications| US8359593B2|2008-04-21|2013-01-22|Vmware, Inc.|Computer machine migration of file system images using a redo-log file| US8424082B2|2008-05-08|2013-04-16|Google Inc.|Safely executing an untrusted native code module on a computing device| US8364983B2|2008-05-08|2013-01-29|Microsoft Corporation|Corralling virtual machines with encryption keys| US8195774B2|2008-05-23|2012-06-05|Vmware, Inc.|Distributed virtual switch for virtualized computer systems| US20110191494A1|2008-05-27|2011-08-04|Turanyi Zoltan Richard|System and method for backwards compatible multi-access with proxy mobile internet protocol| US8276145B2|2008-06-27|2012-09-25|Microsoft Corporation|Protected mode scheduling of operations| US9176754B2|2008-07-16|2015-11-03|Google Inc.|Method and system for executing applications using native code modules| US8285670B2|2008-07-22|2012-10-09|International Business Machines Corporation|Dynamically maintaining coherency within live ranges of direct buffers| US20100211663A1|2008-07-28|2010-08-19|Viewfinity Inc.|Management of pool member configuration| CN101640589B|2008-07-29|2012-11-07|华为技术有限公司|Method and device for sharing license between safe and removable media| CN101645020A|2008-08-04|2010-02-10|优诺威讯国际有限公司|Virtual operating system creation method| US7886183B2|2008-08-07|2011-02-08|Symantec Operating Corporation|Providing fault tolerant storage system to a cluster| JP2010044579A|2008-08-12|2010-02-25|Brother Ind Ltd|Peripheral device, program, and driver installation system| TW201007574A|2008-08-13|2010-02-16|Inventec Corp|Internet server system and method of constructing and starting a virtual machine| US8381288B2|2008-09-30|2013-02-19|Intel Corporation|Restricted component access to application memory| JP4966942B2|2008-10-01|2012-07-04|株式会社日立製作所|Virtual PC management method, virtual PC management system, and virtual PC management program| US8291261B2|2008-11-05|2012-10-16|Vulcan Technologies Llc|Lightweight application-level runtime state save-and-restore utility| US8103837B2|2008-12-17|2012-01-24|Hewlett-Packard Development Company, L.P.|Servicing memory read requests| TWI384378B|2008-12-29|2013-02-01|Ind Tech Res Inst|Web application execution method| US8117317B2|2008-12-31|2012-02-14|Sap Ag|Systems and methods for integrating local systems with cloud computing resources| US8230121B2|2009-01-05|2012-07-24|Sierra Wireless, Inc.|Method and apparatus for identifying a device handle in a computer system| US8214829B2|2009-01-15|2012-07-03|International Business Machines Corporation|Techniques for placing applications in heterogeneous virtualized systems while minimizing power and migration cost| US8112480B2|2009-01-16|2012-02-07|Microsoft Corporation|Signaling support for sharer switching in application sharing| US8019861B2|2009-01-29|2011-09-13|Vmware, Inc.|Speculative virtual machine resource scheduling| US10203993B2|2009-02-18|2019-02-12|International Business Machines Corporation|Method and system for continuous optimization of data centers by combining server and storage virtualization| US8769068B2|2009-02-24|2014-07-01|Telcordia Technologies, Inc.|System and method for policy based management for a high security MANET| US8782670B2|2009-04-10|2014-07-15|Open Invention Network, Llc|System and method for application isolation| US8418236B1|2009-04-10|2013-04-09|Open Invention Network Llc|System and method for streaming application isolation| JP5289153B2|2009-04-14|2013-09-11|キヤノン株式会社|Information processing apparatus, control method therefor, and computer program| US8751627B2|2009-05-05|2014-06-10|Accenture Global Services Limited|Method and system for application migration in a cloud| US8429647B2|2009-05-06|2013-04-23|Vmware, Inc.|Virtual machine migration across network by publishing routes to the associated virtual networks via virtual router after the start of migration of the virtual machine| US9588803B2|2009-05-11|2017-03-07|Microsoft Technology Licensing, Llc|Executing native-code applications in a browser| JP2010267135A|2009-05-15|2010-11-25|Toshiba Corp|Memory controller| US8150971B2|2009-05-31|2012-04-03|Red Hat Israel, Ltd.|Mechanism for migration of client-side virtual machine system resources| US20100332629A1|2009-06-04|2010-12-30|Lauren Ann Cotugno|Secure custom application cloud computing architecture| US20110004878A1|2009-06-30|2011-01-06|Hubert Divoux|Methods and systems for selecting a desktop execution location| WO2011027191A1|2009-09-02|2011-03-10|Telenor Asa|A method, system, and computer readable medium for controlling access to a memory in a memory device| US8285987B1|2009-12-04|2012-10-09|The United States Of America As Represented By The Secretary Of The Air Force|Emulation-based software protection| US8479286B2|2009-12-15|2013-07-02|Mcafee, Inc.|Systems and methods for behavioral sandboxing| US8645977B2|2010-02-04|2014-02-04|Microsoft Corporation|Extensible application virtualization subsystems| US8301856B2|2010-02-16|2012-10-30|Arm Limited|Restricting memory areas for an instruction read in dependence upon a hardware mode and a security flag| RU101231U1|2010-03-02|2011-01-10|Закрытое акционерное общество "Лаборатория Касперского"|MOBILE COMPUTER DEVICE SECURITY MANAGEMENT SYSTEM| US20110231670A1|2010-03-16|2011-09-22|Shevchenko Oleksiy Yu|Secure access device for cloud computing| US8880773B2|2010-04-23|2014-11-04|Red Hat, Inc.|Guaranteeing deterministic bounded tunable downtime for live migration of virtual machines over reliable channels| WO2011143068A2|2010-05-09|2011-11-17|Citrix Systems, Inc.|Systems and methods for creation and delivery of encrypted virtual disks| CN103262024B|2010-05-09|2015-05-13|思杰系统有限公司|Methods and systems for forcing an application to store data in a secure storage location| US8640187B2|2010-05-28|2014-01-28|Red Hat, Inc.|Systems and methods for providing an fully functional isolated execution environment for accessing content| EP2577539B1|2010-06-02|2018-12-19|VMware, Inc.|Securing customer virtual machines in a multi-tenant cloud| US8166211B2|2010-06-07|2012-04-24|Vmware, Inc.|Safely sharing USB devices| US8935317B2|2010-06-23|2015-01-13|Microsoft Corporation|Dynamic partitioning of applications between clients and servers| US9323921B2|2010-07-13|2016-04-26|Microsoft Technology Licensing, Llc|Ultra-low cost sandboxing for application appliances| US8972995B2|2010-08-06|2015-03-03|Sonics, Inc.|Apparatus and methods to concurrently perform per-thread as well as per-tag memory access scheduling within a thread and across two or more threads| US9436502B2|2010-12-10|2016-09-06|Microsoft Technology Licensing, Llc|Eventually consistent storage and transactions in cloud based environment| US8903705B2|2010-12-17|2014-12-02|Microsoft Corporation|Application compatibility shims for minimal client computers| US8972746B2|2010-12-17|2015-03-03|Intel Corporation|Technique for supporting multiple secure enclaves| US8832452B2|2010-12-22|2014-09-09|Intel Corporation|System and method for implementing a trusted dynamic launch and trusted platform module using secure enclaves| US20120179485A1|2011-01-07|2012-07-12|Independa, Inc.|Systems and methods for integrated care management| US20120203932A1|2011-02-08|2012-08-09|Microsoft Corporation|Multi-master media metadata synchronization| US9483284B2|2011-02-25|2016-11-01|Red Hat, Inc.|Version compatibility determination| US9891939B2|2011-03-03|2018-02-13|Microsoft Technology Licensing, Llc|Application compatibility with library operating systems| US8839363B2|2011-04-18|2014-09-16|Bank Of America Corporation|Trusted hardware for attesting to authenticity in a cloud environment| US9495183B2|2011-05-16|2016-11-15|Microsoft Technology Licensing, Llc|Instruction set emulation for guest operating systems| US8745434B2|2011-05-16|2014-06-03|Microsoft Corporation|Platform for continuous mobile-cloud services| US20130031371A1|2011-07-25|2013-01-31|Alcatel-Lucent Usa Inc.|Software Run-Time Provenance| US20130036431A1|2011-08-02|2013-02-07|Microsoft Corporation|Constraining Execution of Specified Device Drivers| US20130054734A1|2011-08-23|2013-02-28|Microsoft Corporation|Migration of cloud applications between a local computing device and cloud| US9413538B2|2011-12-12|2016-08-09|Microsoft Technology Licensing, Llc|Cryptographic certification of secure hosted execution environments| KR101874081B1|2012-06-07|2018-07-03|에스케이테크엑스 주식회사|Cloud Service Supporting Method And System based on a Enhanced Security|JP2000258944A|1999-03-11|2000-09-22|Toshiba Corp|Electrophotographic photoreceptor and wet process electrophotographic device| US9588803B2|2009-05-11|2017-03-07|Microsoft Technology Licensing, Llc|Executing native-code applications in a browser| US9323921B2|2010-07-13|2016-04-26|Microsoft Technology Licensing, Llc|Ultra-low cost sandboxing for application appliances| US8782434B1|2010-07-15|2014-07-15|The Research Foundation For The State University Of New York|System and method for validating program execution at run-time| US9495183B2|2011-05-16|2016-11-15|Microsoft Technology Licensing, Llc|Instruction set emulation for guest operating systems| US9413538B2|2011-12-12|2016-08-09|Microsoft Technology Licensing, Llc|Cryptographic certification of secure hosted execution environments| US9063721B2|2012-09-14|2015-06-23|The Research Foundation For The State University Of New York|Continuous run-time validation of program execution: a practical approach| US9069782B2|2012-10-01|2015-06-30|The Research Foundation For The State University Of New York|System and method for security and privacy aware virtual machine checkpointing| US9141979B1|2013-12-11|2015-09-22|Ca, Inc.|Virtual stand-in computing service for production computing service| US20150278512A1|2014-03-28|2015-10-01|Intel Corporation|Virtualization based intra-block workload isolation| GB2525596B|2014-04-28|2021-05-26|Arm Ip Ltd|Access control and code scheduling| US9922200B2|2014-06-30|2018-03-20|Microsoft Technology Licensing, Llc|Securely storing content within public clouds| US10044695B1|2014-09-02|2018-08-07|Amazon Technologies, Inc.|Application instances authenticated by secure measurements| US10079681B1|2014-09-03|2018-09-18|Amazon Technologies, Inc.|Securing service layer on third party hardware| US9491111B1|2014-09-03|2016-11-08|Amazon Technologies, Inc.|Securing service control on third party hardware| US10061915B1|2014-09-03|2018-08-28|Amazon Technologies, Inc.|Posture assessment in a secure execution environment| US10230529B2|2015-07-31|2019-03-12|Microsft Technology Licensing, LLC|Techniques to secure computation data in a computing environment| GB201516227D0|2015-09-14|2015-10-28|Horne Stephen And Hemmer Fabian And Von Oven Peter|Running applications on a computer device| US10664179B2|2015-09-25|2020-05-26|Intel Corporation|Processors, methods and systems to allow secure communications between protected container memory and input/output devices| US9798641B2|2015-12-22|2017-10-24|Intel Corporation|Method to increase cloud availability and silicon isolation using secure enclaves| US10936331B2|2017-02-23|2021-03-02|International Business Machines Corporation|Running a kernel-dependent application in a container| US10146707B2|2017-03-14|2018-12-04|International Business Machines Corporation|Hardware-based memory protection| CN109040137B|2018-10-10|2021-04-09|杭州安恒信息技术股份有限公司|Method and device for detecting man-in-the-middle attack and electronic equipment| CN109922056B|2019-02-26|2021-09-10|创新先进技术有限公司|Data security processing method, terminal and server thereof|
法律状态:
2017-12-12| B25A| Requested transfer of rights approved|Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC (US) | 2018-12-04| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]| 2019-12-24| B06U| Preliminary requirement: requests with searches performed by other patent offices: procedure suspended [chapter 6.21 patent gazette]| 2021-06-01| B350| Update of information on the portal [chapter 15.35 patent gazette]| 2021-06-08| B09A| Decision: intention to grant [chapter 9.1 patent gazette]| 2021-08-17| B16A| Patent or certificate of addition of invention granted [chapter 16.1 patent gazette]|Free format text: PRAZO DE VALIDADE: 20 (VINTE) ANOS CONTADOS A PARTIR DE 04/12/2012, OBSERVADAS AS CONDICOES LEGAIS. |
优先权:
[返回顶部]
申请号 | 申请日 | 专利标题 US13/323,562|2011-12-12| US13/323,562|US9389933B2|2011-12-12|2011-12-12|Facilitating system service request interactions for hardware-protected applications| PCT/US2012/067660|WO2013090044A1|2011-12-12|2012-12-04|Facilitating system service request interactions for hardware-protected applications| 相关专利
Sulfonates, polymers, resist compositions and patterning process
Washing machine
Washing machine
Device for fixture finishing and tension adjusting of membrane
Structure for Equipping Band in a Plane Cathode Ray Tube
Process for preparation of 7 alpha-carboxyl 9, 11-epoxy steroids and intermediates useful therein an
国家/地区
|