System for isolating first computing environment from second execution environment while sharing resources by copying data from first portion to second portion of memory
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-009/46
H04L-029/06
출원번호
UP-0428279
(2003-05-02)
등록번호
US-7788669
(2010-09-20)
발명자
/ 주소
England, Paul
Peinado, Marcus
Willman, Bryan Mark
출원인 / 주소
Microsoft Corporation
대리인 / 주소
Woodcock Washburn LLP
인용정보
피인용 횟수 :
18인용 특허 :
10
초록▼
Techniques are disclosed to support hosting of a first operating system by a second operating system, where the first system provides at least some of the infrastructure for the second system. A facility is provided whereby the second system can receive data from the first system without the first s
Techniques are disclosed to support hosting of a first operating system by a second operating system, where the first system provides at least some of the infrastructure for the second system. A facility is provided whereby the second system can receive data from the first system without the first system being able to modify that data. The second system may use the first system's scheduler by creating shadow threads and synchronization objects known to the first system, while the second system makes the final decision as to whether a thread runs. Separate memory may be allocated to both systems at boot time, or dynamically during their operation. The techniques herein may be used to protect the second system from actions arising in the first system. Preferably, the interaction between the first and second systems is facilitated by a security monitor, which assists in protecting the second system from the first.
대표청구항▼
What is claimed: 1. A method for isolating a plurality of computing environments interacting on a computing device, comprising acts of: running a first computing environment and a second computing environment on the computing device, wherein the first computing environment hosts the second computin
What is claimed: 1. A method for isolating a plurality of computing environments interacting on a computing device, comprising acts of: running a first computing environment and a second computing environment on the computing device, wherein the first computing environment hosts the second computing environment by sharing computing resources of the first computing environment with the second computing environment; enabling interaction between the first and second computing environments to share the computing resources of the first computing environment with the second computing environment while isolating the first computing environment from the second computing environment, wherein enabling interaction comprises: receiving data by the second computing environment from the first computing environment in a first state that is writeable by the first computing environment; isolating the first computing environment from the second computing environment by placing the data into a second state that is readable by the second computing environment but not modifiable by the first computing environment during a time in which the first computing environment and second computing environment are allowed to interact; and performing a validation test by the second computing environment on the data to ensure that the second computing environment will continue to operate according to a predetermined specification. 2. The method of claim 1, wherein said first state and said second state are mutually distinct data storage areas, and wherein the act of placing the data into the second state comprises: copying the data from the first state to the second state. 3. The method of claim 1, wherein said first state and said second state are the same physical data storage area, and wherein the act of placing the data into the second state comprises depriving the first computing environment of the ability to write said physical data storage area. 4. The method of claim 3, wherein the act of placing the data into the second state is performed without copying any of the data. 5. The method of claim 1, wherein said first state and said second state each comprise a set of registers on a processor, wherein said first computing environment executes on the processor to write the data into the set of registers, and wherein the second computing environment executes on the processor to read the set of registers; the first computing environment and the second computing environment not being able to execute on the processor at the same time, whereby the set of registers constitute the first state while the first computing environment is executing on the processor, and the set of registers constitutes the second state while the second computing environment is executing on the processor. 6. The method of claim 1, wherein the first computing environment accesses a memory through a mapping, the mapping being configurable such that at least some part of the memory can be made unwriteable by the first computing environment, the computing environment to which the mapping corresponds, and wherein the act of placing the data into the second state comprises: configuring the mapping such that said some part of the memory is unwriteable by the first computing environment. 7. The method of claim 6, wherein each unit of the memory has a physical address, wherein the first computing environment access the memory based on virtual addresses, and wherein the mapping maps the virtual addresses to the physical addresses. 8. The method of claim 7, wherein the memory is divided into pages, wherein the mapping maps virtual addresses to physical addresses with per-page granularity, said some part of the memory comprising one or more the pages. 9. The method of claim 6, wherein the mapping can designate one or more parts of the memory as being only readable by the first computing environment, and wherein the act of configuring the mapping comprises: configuring the mapping to designate said some part of the memory as being only readable by the first computing environment. 10. The method of claim 6, wherein the mapping can designate one or more parts of the memory as being not present, and wherein the act of configuring the mapping comprises: configuring the mapping to designate said some part of the memory as being not present. 11. The method of claim 6, wherein the act of configuring the mapping comprises: removing, from the mapping, a reference to said some part of the memory. 12. The method of claim 1, wherein said act of placing the data into the second state comprises: copying the data from the first state to a third state that is different both from said first state and from said second state; and copying the data from the third state to the second state. 13. The method of claim 12, wherein the third state is accessible only by a security monitor that is distinct from both the first computing environment and the second computing environment, the security monitor being trusted by the second computing environment, and wherein the security monitor performs the acts of copying the data from the first state to the third state, and of copying the data from the third state to the second state. 14. The method of claim 12, wherein the first computing environment and the second computing environment have shared access to the first state, and wherein the second computing environment copies the data into the second state. 15. The method of claim 1, wherein the first computing environment comprises a first execution environment, and wherein the second computing environment comprises a second execution environment. 16. The method of claim 15, wherein the first execution environment comprises a first operating system, and wherein the second execution environment comprises a second operating system. 17. The method of claim 16, wherein the first operating system hosts the second operating system by providing at least some infrastructure used by the second operating system. 18. The method of claim 17, wherein said infrastructure comprises at least one of: a memory; and a processor. 19. The method of claim 17, wherein a security monitor that is distinct both from the first operating system and from the second operating system and that is trusted by the second operating system performs the act of placing the data into the second state, wherein the security monitor enforces a separation between the first and second computing environments. 20. The method of claim 16, wherein the first execution environment is expected to conform its behavior to a first specification, wherein the second execution environment is expected to conform its behavior to a second specification, wherein the expectation that the second execution environment will behave according to the second specification is relatively greater than the expectation that the first execution environment will conform its behavior to the first specification, and wherein the method further comprises: performing said validation test, wherein said validation test provides a level of assurance that the data will not cause the second execution environment to behave in a manner that would violate the second specification. 21. A computer-readable storage medium comprising computer executable instructions that are executable by a computer to perform acts for isolating a plurality of computing environments interacting on a computing device, the acts comprising: running a first computing environment and a second computing environment on the computing device, wherein the first computing environment hosts the second computing environment by sharing computing resources of the first computing environment with the second computing environment; enabling interaction between the first and second computing environments to share the computing resources of the first computing environment with the second computing environment while isolating the first computing environment from the second computing environment, wherein enabling interaction comprises: accepting data into a first state that is writeable by the first computing environment; placing the data into a second state that is readable by the second computing environment; and ensuring that the second state is not writeable by the first computing environment during a time in which the first computing environment and second computing environment are allowed to interact; and performing a validation test on the data to ensure that the second computing environment will continue to operate according to a predetermined specification, wherein: the first state comprises a first portion of memory; the second state comprises a second portion of memory different from said first portion of memory; and the act of placing the data into the second state comprises copying the data from the first portion of memory to the second portion of memory. 22. The computer-readable medium of claim 21, wherein the instructions to perform the act of placing the data into the second state comprise instructions to perform acts comprising: running the second computing environment on a processor that comprises a set of registers, wherein the first state comprises the set of registers when the first entity is running on the processor, and wherein the second state comprises the set of registers when the second computing environment is running on the processor, whereby the second computing environment retrieves the data from the set of registers; copying the data from a first portion of a memory to a second portion of the memory that is different from said first portion of the memory, wherein the first state comprises the first portion of the memory, and wherein the second state comprises the second portion of the memory; and configuring a mapping to make the first state unwriteable by the first computing environment, wherein the first state comprises a third portion of the memory, wherein the first computing environment accesses the memory through the mapping, and wherein the mapping is configurable so as to make at least some part of the memory unwriteable by the first computing environment. 23. The computer-readable medium of claim 22, wherein the computer-executable instructions are adapted to perform acts further comprising: determining whether the communication of data from the first computing environment to the second computing environment is to be performed by said running act, said copying act, or said configuration act, based on a criterion. 24. The computer-readable medium of claim 23, wherein said criterion comprises a size of the data. 25. The computer-readable medium of claim 21, wherein the act of copying the data from the first state to the second state comprises: copying the data from the first portion of the memory to a third portion of the memory that is different both from the first portion of the memory and from the second portion of the memory; and copying the data from the third portion of the memory to the second portion of the memory. 26. The computer-readable medium of claim 25, wherein the computer-readable medium further contains: logic that implements a security monitor that is trusted by the second computing environment, the security monitor being adapted to make the third portion of the memory inaccessible to the first computing environment and the second computing environment, the security monitor being further adapted to perform the acts of copying the data from the first portion of the memory to the third portion of the memory, and of copying the data from the third portion of the memory to the second portion of the memory. 27. The computer-readable medium of claim 21, wherein the first state and the second state each comprise a common portion of a memory, wherein the first computing environment accesses the memory through a mapping, the mapping being configurable so as to make at least some part of the memory unwriteable by the first computing environment, and wherein the act of placing the data into the second state comprises: configuring the mapping so as to make said portion of the memory unwriteable by the first computing environment. 28. The computer-readable medium of claim 27, wherein the act of configuring the mapping comprises: removing, from the mapping, a reference to said portion of the memory. 29. The computer-readable medium of claim 27, wherein the mapping can designate one or more parts of the memory as being only readable by the first computing environment, and wherein the act of configuring the mapping comprises: configuring the mapping to designate said portion of the memory as being only readable by the first computing environment. 30. The computer-readable medium of claim 27, wherein the mapping can designate one or more part of the memory as being not present, and wherein the act of configuring the mapping comprises: configuring the mapping to designate said portion of the memory as being not present. 31. The computer-readable medium of claim 21, wherein said first state and said second state comprise a set of registers on a processor, wherein said act of accepting the data into the first state comprises: executing the first computing environment on the processor, whereby the first computing environment places the data into the set of registers; and wherein the act of placing the data into the second state comprises: executing the second computing environment on the processor, whereby the second computing environment retrieves the data from the set of registers; the set of registers constituting the first state when the first computing environment executes on the processor, and the set of registers constituting the second state when the second computing environment executes on the processor. 32. The computer-readable medium of claim 21, wherein the first computing environment comprises a first execution environment, and wherein the second computing environment comprises a second execution environment. 33. The computer-readable medium of claim 32, wherein the first computing environment comprises a first operating system, and wherein the second computing environment comprises a second operating system. 34. The computer-readable medium of claim 32, wherein said first execution environment is expected to conform its behavior to a first specification, wherein the second execution environment is expected to conform its behavior to a second specification, wherein the expectation that the second execution environment will behave according to the second specification is relatively greater than the expectation that the first execution environment will conform its behavior to the first specification, and wherein the computer-executable instructions are further adapted to perform acts comprising: performing said validation test to ensure that the data will not cause the second execution environment to behave in a manner that would violate the second specification. 35. The computer-readable medium of claim 21, wherein the computer-readable medium further contains: logic to implement a security monitor which is trusted by the second computing environment, the security monitor being adapted to perform the act of placing the data into the second state, wherein the security monitor enforces the separation between the first and second computing environments. 36. A method for isolating a plurality of computing environments interacting on a computing device, comprising acts of: running a first computing environment and a second computing environment on the computing device, wherein the first computing environment is a host operating system of the computing device which shares computing resources of the first computing environment with the second computing environment; enabling interaction between the first and second computing environments to share the computing resources of the first computing environment with the second computing environment while isolating the first computing environment from the second computing environment, wherein enabling interaction comprises: receiving data from the first computing environment in a first state that is writeable by the first computing environment; and isolating the first computing environment from the second computing environment by placing the data into a second state that is readable by the second computing environment but not modifiable by the first computing environment during a time in which the first computing environment and second computing environment are allowed to interact; and performing a validation test on the data to ensure that the second computing environment will continue to operate according to a predetermined specification, wherein: the first state comprises a first portion of memory; the second state comprises a second portion of memory different from said first portion of memory; and the act of placing the data into the second state comprises copying the data from the first portion of memory to the second portion of memory.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (10)
Takebe Makoto (Kanagawa JPX), Asynchronous data transmission system.
Saito,Nobuyuki; Kubota,Shinsuke; Shimono,Hiroaki; Matsuda,Kuniaki, Data transfer control device including buffer controller with plurality of pipe regions allocated to plurality of endpoints.
Baker Ernest D. (Boca Raton FL) Dinwiddie ; Jr. John M. (West Palm Beach FL) Grice Lonnie E. (Boca Raton FL) Joyce James M. (Boca Raton FL) Loffredo John M. (Deerfield Beach FL) Sanderson Kenneth R. , Method and apparatus for the direct transfer of information between application programs running on distinct processors.
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Scott W. Devine ; Edouard Bugnion ; Mendel Rosenblum, Virtualization system including a virtual machine monitor for a computer with a segmented architecture.
Yokota, Daisuke, Accessing copy information of MMIO register by guest OS in both active and inactive state of a designated logical processor corresponding to the guest OS.
Brochu, Christian; Laflamme, Benoit, Household for industrial device including programmable controller and method device and system for use in configuring same.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.