IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
UP-0298033
(2005-12-09)
|
등록번호 |
US-7644246
(2010-02-11)
|
발명자
/ 주소 |
- Peinado, Marcus
- England, Paul
- Willman, Bryan Mark
|
출원인 / 주소 |
|
대리인 / 주소 |
|
인용정보 |
피인용 횟수 :
8 인용 특허 :
26 |
초록
▼
A data storage resource is identifiable by physical addresses, and optionally by a virtual address. A policy defines which resources are accessible and which resources are not accessible. A request to access a resource is allowed if access to the resource is permitted by the policy, and if carrying
A data storage resource is identifiable by physical addresses, and optionally by a virtual address. A policy defines which resources are accessible and which resources are not accessible. A request to access a resource is allowed if access to the resource is permitted by the policy, and if carrying out the access will not cause virtual addresses to be assigned to resources to which the policy disallows access. Since resources to which access is disallowed do not have virtual addresses, certain types of access requests that identify a resource by a virtual address can be allowed without consulting the policy.
대표청구항
▼
What is claimed is: 1. A system for controlling access to an addressable entity in accordance with a policy, P, the addressable entity defining a first mapping from a first set comprising physical addresses, A, to a second set, M, there being a second mapping from a third set comprising virtual add
What is claimed is: 1. A system for controlling access to an addressable entity in accordance with a policy, P, the addressable entity defining a first mapping from a first set comprising physical addresses, A, to a second set, M, there being a second mapping from a third set comprising virtual addresses, V, to the first set, the function f: A→M denoting the first mapping, the function g: S×V→A denoting the second mapping, wherein S is a set of sources that can request access to the addressable entity, the system comprising: at least one computing device comprising a processor, a memory in communication with the processor and addressable by the physical addresses, a guard implemented in the processor, wherein the guard evaluates a request from a source, s, to evaluate or modify the first mapping, where s∈S, wherein the guard conditionally allows the request based on a constraint that the request is allowable under the policy, P, and denies the request based on a constraint that the request is not allowable under the policy, P, and also denies the request if execution of the request would cause an invariant condition to be violated, even if the request is otherwise allowable under the policy, P, wherein the invariant condition constrains one or more resources that can be identified using a virtual addresses and is defined such that a set of physical addresses that a source can access through an address translation mechanism using a virtual address and a set of resources to which access by the source is unallowable by the policy are distinct and non-intersecting, and wherein the invariant condition is that a given source has no virtual address for any resource that the source is not allowed to access under the policy, P, wherein the addressable entity comprises the memory, and wherein the guard performs selective filtering to requests from the source by using a plurality of subguards to evaluate conditions that are sufficient to decide whether to allow or deny the request, wherein one of the subguards evaluates a condition that is sufficient and necessary to decide whether to allow or deny the request if none of the other subguards is able to decide whether to allow or deny the request. 2. The system of claim 1, wherein the invariant condition is represented by the statement: MP(s)∩NA(P,s)=φ where NA(P,s) consists of all members of the first set, A, at which the policy, P, disallows the source, s, from evaluating or modifying the first mapping where MP(s) is a set of physical addresses in the memory that are addressable by the source s through the second mapping. 3. The system of claim 2, wherein the invariant condition is represented by the statement: MP(s)∩NW(P,s)=φ wherein NW(P,s) consists of all members of the first set, A, at which the policy, P, disallows the source, s, from modifying the first mapping. 4. The system of claim 3, wherein a portion of the first mapping located at a subset of the first set, A, affects the second mapping, and wherein the invariant condition is represented by the statement: (MP(s)∪PMS)∩NW(P,s)=φ wherein PMS denotes said subset. 5. The system of claim 2, wherein a portion of the first mapping located at a subset of the first set, A, affects the second mapping, and wherein the invariant condition is represented by the statement: (MP(s)∪PMS)∩NA(P,s)=φ wherein PMS denotes said subset. 6. The system of claim 2, wherein the function g associates an attribute with each member of the first set, A, that is a solution to g(s,v) for v∈V, the attribute indicating whether the first mapping may be modified at said member, wherein a portion of the first mapping located at a subset of the first set, A, affects the second mapping, and wherein the invariant condition is represented by the statement: MP(s)∩NA(P,s)=φ^MPRW(s)∩PMS=φ, wherein MPRW(s) consists of the members of A whose attributes are indicative of being modifiable by the source, s, and wherein PMS denotes said subset. 7. The system of claim 2, wherein the function g associates an attribute with each member of the first set, A, that is a solution to g(s,v) for v∈V, the attribute indicating whether the first mapping may be modified at said member, wherein a portion of the first mapping located at a subset of the first set, A, affects the second mapping, and wherein the invariant condition is represented by the statement: MP(s)∩NW(P,s)=φ^MPRW(s)∩PMS=φ wherein NW(P,s) consists of all members of the first set, A, at which the policy, P, disallows the source, s, from modifying the first mapping, wherein MPRW(s) consists of the members of A whose attributes are indicative of being modifiable by the source, s, and wherein PMS denotes said subset. 8. The system of claim 2, wherein the function g associates an attribute with each member of the first set, A, that is a solution to g(s,v) for v∈V, the attribute indicating whether the first mapping may be modified at said member, wherein a portion of the first mapping located at a subset of the first set, A, affects the second mapping, and wherein the invariant condition is represented by the statement: MP(s)∩NR(P,s)=φ^MPRW(s)∩PMS=φ wherein NR(P,s) consists of all members of the first set, A, at which the policy, P, disallows the source, s, from evaluating the first mapping, wherein MPRW(s) consists of the members of A whose attributes are indicative of being modifiable by the source, s, and wherein PMS denotes said subset. 9. The system of claim 2, wherein the function g is further based on arbitrary information, E, such that g: S×V×E→A. 10. The system of claim 2, wherein the memory comprises a random access memory that implements the first mapping, and wherein the system further comprises: a memory management unit that implements the second mapping. 11. The system of claim 2, wherein there is a set of values, CORE, such that CORE⊂A, and such that f(a) affects the functioning of the guard for all a∈CORE, and wherein P prohibits at least one of the sources from modifying the first mapping at any of the elements in CORE. 12. The system of claim 1, wherein the conditional allowance of the request comprises executing a new request in place of said request, such that executing the new request does not cause the statement to be false. 13. The system of claim 1, wherein the guard conditionally allows the request if the statement is false but X is true, where X is an arbitrary condition, and wherein the guard ensures that X is not true unless the statement is true. 14. A method comprising: evaluating an access request from a source to access an addressable entity; denying the access request if the access request is not allowable under a policy; denying the access request even if the access request is allowable under the policy if execution of the request would cause an invariant condition to be violated, wherein the invariant condition constrains one or more resources that can be identified using a virtual addresses and is defined such that a set of physical addresses that a source can access through an address translation mechanism using a virtual address and a set of resources to which access by the source is unallowable by the policy are distinct and non-intersecting; allowing the access request if the access request is allowable under the policy and would not cause the invariant condition to be violated; and performing selective filtering on requests from the source by using a plurality of subguards to evaluate conditions that are sufficient to decide whether to allow or deny the request, wherein one of the subguards evaluates a condition that is sufficient and necessary to decide whether to allow or deny the request if none of the other subguards is able to decide whether to allow or deny the request, wherein performing selective filtering comprises determining whether a request is a read request that identifies a resource using a virtual address and, if so, then allowing the request without further evaluation. 15. A method as defined in claim 14, wherein the invariant condition prevents the source from having a virtual address for any resource that the source is not allowed to access under the policy. 16. A computer-readable storage medium encoded with computer-readable instructions that, when executed by a computer, cause the computer to perform a method comprising: evaluating an access request from a source to access an addressable entity; denying the access request if the access request is not allowable under a policy; denying the access request even if the access request is allowable under the policy if execution of the request would cause an invariant condition to be violated, wherein the invariant condition constrains one or more resources that can be identified using a virtual addresses and is defined such that a set of physical addresses that a source can access through an address translation mechanism using a virtual address and a set of resources to which access by the source is unallowable by the policy are distinct and non-intersecting; allowing the access request if the access request is allowable under the policy and would not cause the invariant condition to be violated; and performing selective filtering on requests from the source by using a plurality of subguards to evaluate conditions that are sufficient to decide whether to allow or deny the request, wherein one of the subguards evaluates a condition that is sufficient and necessary to decide whether to allow or deny the request if none of the other subguards is able to decide whether to allow or deny the request.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.