专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US08555081B2 Cryptographic multi-shadowing with integrity verification 有权
标题翻译：加密多重阴影与完整性验证
公开(公告)号：US08555081B2
公开(公告)日：2013-10-08
申请号：US12261194
申请日：2008-10-30
申请人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam , Tal Garfinkel , Dan Boneh
发明人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam , Tal Garfinkel , Dan Boneh
IPC分类号： G06F12/14
CPC分类号： G06F9/461 , G06F9/4486 , G06F9/45533 , G06F9/45558 , G06F9/4881 , G06F11/1451 , G06F11/1484 , G06F2009/45562 , G06F2009/45583 , G06F2201/815 , G06F2201/84
摘要： A virtual-machine-based system that may protect the privacy and integrity of application data, even in the event of a total operating system compromise. An application is presented with a normal view of its resources, but the operating system is presented with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Different views of “physical” memory are presented, depending on a context performing the access. An additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processors is provided.
摘要翻译：一种基于虚拟机的系统，可以保护应用程序数据的隐私和完整性，即使在整个操作系统受损的情况下也是如此。应用程序呈现其资源的正常视图，但操作系统呈现加密视图。这允许操作系统执行管理应用程序资源的复杂任务，而不允许它读取或修改它们。呈现“物理”存储器的不同视图，这取决于执行访问的上下文。提供了超越由传统操作系统和处理器实现的分级保护域的附加维度。

2. 发明授权

US08819676B2 Transparent memory-mapped emulation of I/O calls 有权
标题翻译： I / O调用的透明内存映射仿真
公开(公告)号：US08819676B2
公开(公告)日：2014-08-26
申请号：US12261722
申请日：2008-10-30
申请人： Daniel R. K. Ports , Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam , Tal Garfinkel
发明人： Daniel R. K. Ports , Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam , Tal Garfinkel
IPC分类号： G06F9/455
CPC分类号： G06F9/461 , G06F9/4486 , G06F9/45533 , G06F9/45558 , G06F9/4881 , G06F11/1451 , G06F11/1484 , G06F2009/45562 , G06F2009/45583 , G06F2201/815 , G06F2201/84
摘要： A virtual-machine-based system provides a mechanism to implement application file I/O operations of protected data by implementing the I/O operations semantics in a shim layer with memory-mapped regions. The semantics of these I/O operations are emulated in a shim layer with memory-mapped regions by using a mapping between a process' address space and a file or shared memory object. Data that is protected from viewing by a guest OS running in a virtual machine may nonetheless be accessed by the process.
摘要翻译：基于虚拟机的系统提供了通过在具有存储器映射区域的垫片层中实现I / O操作语义来实现受保护数据的应用文件I / O操作的机制。这些I / O操作的语义通过使用进程的地址空间和文件或共享内存对象之间的映射在具有内存映射区域的填充层中进行仿真。受虚拟机运行的客户机操作系统保护的数据可能会被进程访问。

3. 发明授权

US08261265B2 Transparent VMM-assisted user-mode execution control transfer 有权
标题翻译：透明VMM辅助用户模式执行控制传输
公开(公告)号：US08261265B2
公开(公告)日：2012-09-04
申请号：US12261623
申请日：2008-10-30
申请人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam , Tal Garfinkel , Daniel R. K. Ports
发明人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam , Tal Garfinkel , Daniel R. K. Ports
IPC分类号： G06F9/455
CPC分类号： G06F9/461 , G06F9/4486 , G06F9/45533 , G06F9/45558 , G06F9/4881 , G06F11/1451 , G06F11/1484 , G06F2009/45562 , G06F2009/45583 , G06F2201/815 , G06F2201/84
摘要： A virtual-machine-based system provides a control-transfer mechanism to invoke a user-mode application handler from existing virtual hardware directly, without going through an operating system kernel running in the virtual machine. A virtual machine monitor calls directly to the guest user-mode handler and the handler transfers control back to the virtual machine monitor, without involving the guest operating system.
摘要翻译：基于虚拟机的系统提供了一种控制传递机制，可以直接从现有的虚拟硬件调用用户模式应用程序处理程序，而无需通过在虚拟机中运行的操作系统内核。虚拟机监视器直接调用访客用户模式处理程序，处理程序将控制器传送回虚拟机监视器，而不涉及客户机操作系统。

4. 发明申请

US20090113110A1 Providing VMM Access to Guest Virtual Memory 有权
标题翻译：提供访问虚拟内存的VMM访问
公开(公告)号：US20090113110A1
公开(公告)日：2009-04-30
申请号：US12261147
申请日：2008-10-30
申请人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam
发明人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam
IPC分类号： G06F12/08 , G06F9/455 , G06F12/00
CPC分类号： G06F9/461 , G06F9/4486 , G06F9/45533 , G06F9/45558 , G06F9/4881 , G06F11/1451 , G06F11/1484 , G06F2009/45562 , G06F2009/45583 , G06F2201/815 , G06F2201/84
摘要： A virtual-machine-based system provides a mechanism for a virtual machine monitor (VMM) to process a hypercall received from an application running in the virtual machine (VM). A hypercall interface causes the virtual memory pages, needed by the VMM to process the hypercall, to be available to the VMM. In one embodiment, when virtual memory pages needed by the VMM to process the hypercall are not available to the VMM, the application is caused to access the needed pages, in response to which the required virtual memory becomes available to the VMM.
摘要翻译：基于虚拟机的系统为虚拟机监视器（VMM）提供了一种机制，用于处理从虚拟机（VM）中运行的应用程序接收到的超级呼叫。一个超级呼叫界面使VMM所需的虚拟内存页面可以处理该超级调用，以供VMM使用。在一个实施例中，当VMM处理该超级呼叫所需的虚拟存储器页面对VMM不可用时，使应用程序访问所需的页面，响应于所需的虚拟存储器对VMM可用。

5. 发明授权

US08607013B2 Providing VMM access to guest virtual memory 有权
标题翻译：提供访问虚拟内存的VMM访问
公开(公告)号：US08607013B2
公开(公告)日：2013-12-10
申请号：US12261147
申请日：2008-10-30
申请人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam
发明人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam
IPC分类号： G06F12/00 , G06F13/00 , G06F13/28
CPC分类号： G06F9/461 , G06F9/4486 , G06F9/45533 , G06F9/45558 , G06F9/4881 , G06F11/1451 , G06F11/1484 , G06F2009/45562 , G06F2009/45583 , G06F2201/815 , G06F2201/84
摘要： A virtual-machine-based system provides a mechanism for a virtual machine monitor (VMM) to process a hypercall received from an application running in the virtual machine (VM). A hypercall interface causes the virtual memory pages, needed by the VMM to process the hypercall, to be available to the VMM. In one embodiment, when virtual memory pages needed by the VMM to process the hypercall are not available to the VMM, the application is caused to access the needed pages, in response to which the required virtual memory becomes available to the VMM.
摘要翻译：基于虚拟机的系统为虚拟机监视器（VMM）提供了一种机制，用于处理从虚拟机（VM）中运行的应用程序接收到的超级呼叫。一个超级呼叫界面使VMM所需的虚拟内存页面可以处理该超级调用，以供VMM使用。在一个实施例中，当VMM处理该超级呼叫所需的虚拟存储器页面对VMM不可用时，使应用程序访问所需的页面，响应于所需的虚拟存储器对VMM可用。

6. 发明申请

US20090113111A1 SECURE IDENTIFICATION OF EXECUTION CONTEXTS 审中-公开
标题翻译：安全执行执行标识
公开(公告)号：US20090113111A1
公开(公告)日：2009-04-30
申请号：US12261159
申请日：2008-10-30
申请人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam
发明人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam
IPC分类号： G06F12/08
CPC分类号： G06F9/461 , G06F9/4486 , G06F9/45533 , G06F9/45558 , G06F9/4881 , G06F11/1451 , G06F11/1484 , G06F2009/45562 , G06F2009/45583 , G06F2201/815 , G06F2201/84
摘要： A virtual-machine-based system that identifies an application or process in a virtual machine in order to locate resources associated with the identified application. Access to the located resources is then controlled based on a context of the identified application. Those applications without the necessary context will have a different view of the resource.
摘要翻译：基于虚拟机的系统，其识别虚拟机中的应用或进程，以便定位与所识别的应用相关联的资源。然后基于所识别的应用的上下文来控制对所定位的资源的访问。那些没有必要上下文的应用程序将具有不同的资源视图。

7. 发明授权

US09274974B1 Isolating data within a computer system using private shadow mappings 有权
标题翻译：使用私有阴影映射隔离计算机系统内的数据
公开(公告)号：US09274974B1
公开(公告)日：2016-03-01
申请号：US11584178
申请日：2006-10-20
申请人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam
发明人： Xiaoxin Chen , Carl A. Waldspurger , Pratap Subrahmanyam
IPC分类号： G06F12/10
CPC分类号： G06F9/45558 , G06F12/109 , G06F12/1491 , G06F2009/45583 , G06F2212/1052 , G06F2212/151 , G06F2212/657
摘要： Virtualization software establishes multiple execution environments within a virtual machine, wherein software modules executing in one environment cannot access private memory of another environment. A separate set of shadow memory address mappings is maintained for each execution environment. For example, a separate shadow page table may be maintained for each execution environment. The virtualization software ensures that the shadow address mappings for one execution environment do not map to the physical memory pages that contain the private code or data of another execution environment. When execution switches from one execution environment to another, the virtualization software activates the shadow address mappings for the new execution environment. A similar approach, using separate mappings, may also be used to prevent software modules in one execution environment from accessing the private disk space or other secondary storage of another execution environment.
摘要翻译：虚拟化软件在虚拟机内建立多个执行环境，其中在一个环境中执行的软件模块不能访问另一环境的专用内存。为每个执行环境维护一组单独的影子内存地址映射。例如，可以为每个执行环境维护单独的影子页表。虚拟化软件确保一个执行环境的影子地址映射不映射到包含其他执行环境的私有代码或数据的物理内存页面。当执行从一个执行环境切换到另一个执行环境时，虚拟化软件会激活新执行环境的影子地址映射。使用单独映射的类似方法也可用于防止一个执行环境中的软件模块访问另一个执行环境的专用磁盘空间或其他辅助存储。

8. 发明授权

US07984304B1 Dynamic verification of validity of executable code 有权
标题翻译：动态验证可执行代码的有效性
公开(公告)号：US07984304B1
公开(公告)日：2011-07-19
申请号：US10791602
申请日：2004-03-02
申请人： Carl A. Waldspurger , Ole Agesen , Xiaoxin Chen , John R. Zedlewski , Tal Garfinkel
发明人： Carl A. Waldspurger , Ole Agesen , Xiaoxin Chen , John R. Zedlewski , Tal Garfinkel
IPC分类号： G06F11/30 , G06F12/14
CPC分类号： G06F21/565
摘要： Computer-executable instructions in a computer are verified dynamically, after they have been identified for submission for execution, but before they are actually executed. In particular, for at least one current instruction that has been identified for submission to the processor for execution, an identifying value, for example, a hash value, is determined for a current memory block that contains the current instruction. The identifying value of the current memory block is then compared with a set of reference values. If the identifying value satisfies a validation condition, then execution of the current instruction by the processor is allowed. If the validation condition is not satisfied, then a response is generated: In the common case, execution of the current instruction is not allowed, or some other predetermined measure is taken.
摘要翻译：计算机中的计算机可执行指令在被识别为提交执行之后但在实际执行之前被动态地验证。特别地，对于已被识别用于提交给处理器以执行的至少一个当前指令，为包含当前指令的当前存储块确定标识值，例如哈希值。然后将当前存储器块的识别值与一组参考值进行比较。如果识别值满足验证条件，则允许由处理器执行当前指令。如果验证条件不满足，则产生响应：在常见情况下，不允许执行当前指令，或者采取其他一些预定措施。

9. 发明授权

US08402441B2 Monitoring execution of guest code in a virtual machine 有权
标题翻译：监视虚拟机中的访客代码的执行
公开(公告)号：US08402441B2
公开(公告)日：2013-03-19
申请号：US12188929
申请日：2008-08-08
申请人： Dmitriy Budko , Xiaoxin Chen , Oded Horovitz , Pratap Subrahmanyam , Carl Waldspurger
发明人： Dmitriy Budko , Xiaoxin Chen , Oded Horovitz , Pratap Subrahmanyam , Carl Waldspurger
IPC分类号： G06F9/44 , G06F9/45
CPC分类号： G06F21/53 , G06F9/45558 , G06F2009/45587 , G06F2009/45591
摘要： A method is provided for monitoring registered code in a virtual machine of a virtualization system. The method includes instantiating a guest in the virtual machine of the virtualization system and monitoring execution of code registered for monitored execution in an execution context of the guest. The monitoring is performed by the virtualization system and is hidden from computations of the guest.
摘要翻译：提供了一种用于监视虚拟化系统的虚拟机中的注册代码的方法。该方法包括在虚拟化系统的虚拟机中实例化客户端，并且监视在客户端执行上下文中注册用于被监控执行的代码的执行。监视由虚拟化系统执行，并且隐藏于访客的计算中。

10. 发明授权

US08327059B2 System and method to enhance memory protection for programs in a virtual machine environment 有权
标题翻译：用于增强虚拟机环境中程序的内存保护的系统和方法
公开(公告)号：US08327059B2
公开(公告)日：2012-12-04
申请号：US12571190
申请日：2009-09-30
申请人： Xiaoxin Chen , Pratap Subrahmanyam
发明人： Xiaoxin Chen , Pratap Subrahmanyam
IPC分类号： G06F12/00
CPC分类号： G06F12/08 , G06F9/45558 , G06F12/145 , G06F21/79 , G06F2009/45583
摘要： In a computer system supporting execution of virtualization software and at least one instance of virtual system hardware, an interface is provided into the virtualization software to allow a program to directly define the access characteristics of its program data stored in physical memory. The technique includes providing data identifying memory pages and their access characteristics to the virtualization software which then derives the memory access characteristics from the specified data. Optionally, the program may also specify a pre-defined function to be performed upon the occurrence of a fault associated with access to an identified memory page. In this manner, programs operating both internal and external to the virtualization software can protect his memory pages, without intermediation by the operating system software.
摘要翻译：在支持虚拟化软件的执行和虚拟系统硬件的至少一个实例的计算机系统中，向虚拟化软件提供接口以允许程序直接定义其存储在物理存储器中的程序数据的访问特性。该技术包括向虚拟化软件提供识别存储器页面及其访问特性的数据，然后从指定的数据导出存储器访问特性。可选地，程序还可以指定在发生与所识别的存储器页面的访问相关联的故障时执行的预定义功能。以这种方式，在虚拟化软件内部和外部运行的程序可以保护他的存储器页面，而不受操作系统软件的中介。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式