US2019251256A1PendingUtilityA1

Secure privilege level execution and access protection

59
Assignee: MICROSOFT TECHNOLOGY LICENSING LLCPriority: Jun 14, 2013Filed: Dec 20, 2018Published: Aug 15, 2019
Est. expiryJun 14, 2033(~6.9 yrs left)· nominal 20-yr term from priority
G06F 12/1441G06F 21/554G06F 12/1483H04L 63/10G06F 12/1491G06F 12/0246G06F 2212/151G06F 2212/1032G06F 11/1008G06F 11/1004G06F 2221/031G06F 2212/1052
59
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method comprising:
 separating addressable memory space into chunks, in which zero or more of the chunks address the same physical storage in whole or part as another chunk, and in which at least some of the chunks are associated with policy settings that identify one or more execution capabilities or one or more access capabilities of the chunks, or both, and including at least one policy setting that indicates whether code in the chunk is executable at a system privilege level or not, or whether data in the chunk is accessible as system mode data or not, and   enforcing whether code execution or data access is allowed for a request, in which the request indicates whether the request is to execute code or access data and an indication of a privilege level of the request, including by identifying a chunk with which the request is associated, accessing the policy settings based upon the request to determine the execution or data access capability of the chunk, and allowing or denying the request based upon the privilege level, whether the request is to execute code or access data and the capability of the chunk with which the request is associated.   
     
     
         2 . The method of  claim 1  further comprising receiving the request by a hypervisor or system mode code, and wherein enforcing whether code execution or data access is allowed for the request is performed by enforcement logic. 
     
     
         3 . The method of  claim 1  wherein the privilege level of the request corresponds to the system privilege level, wherein the policy settings indicate that the code in the chunk with which the request is associated is not executable at the system privilege level or data in the chunk is not accessible by system mode code, or both, and denying the request. 
     
     
         4 . The method of  claim 1  further comprising assigning an identifier to each chunk, in which the identifier for a chunk is part of an address within the addressable memory space for that chunk. 
     
     
         5 . The method of  claim 1  wherein identifying the chunk with which the request is associated comprises determining the chunk from an address associated with the request. 
     
     
         6 . The method of  claim 1  further comprising (a) writing the policy settings, including writing at least one policy setting that indicates whether the code in the chunk is executable at a user privilege level or not, or whether data in the chunk is accessible as user mode data or not, or both, or (b) writing the policy settings, including writing at least one policy setting that indicates whether the code in the chunk is executable in a hypervisor mode, or whether data in the chunk is accessible as hypervisor mode data or not, or both, or both (a) and (b). 
     
     
         7 . The method of  claim 1  further comprising subdividing at least one chunk into page structures, and wherein the policy settings includes data that identifies execution capabilities or one more access capabilities of the page structures, or both execution capabilities and one more data access capabilities of the page structures. 
     
     
         8 . The method of  claim 1  further comprising locking at least part of the policy settings. 
     
     
         9 . The method of  claim 8  wherein locking at least part of the policy settings comprises locking by hardware or software where the lock or locks are enforced by hardware, or by a hypervisor or higher-privileged software than software that set a particular lock. 
     
     
         10 . A system comprising: enforcement logic configured to prevent code from executing in another mode or at a different privilege level than a mode in which the code is intended to execute, and the enforcement logic configured to evaluate a request from a source related to code execution at an address against execution capability data maintained for chunks of address spaces to determine whether the address corresponds to a chunk in which the source is allowed to execute code. 
     
     
         11 . The system of  claim 10  wherein the enforcement logic is incorporated in hardware or incorporated into a hypervisor or system mode code, or a combination thereof, and wherein the source of the request comprises user mode code, system mode code, or hypervisor mode code. 
     
     
         12 . The system of  claim 10  wherein the enforcement logic is further configured to evaluate a request from a source related to data access at an address against data access information maintained for chunks of address spaces to determine whether the address corresponds to a chunk in which the source is allowed to access data. 
     
     
         13 . The system of  claim 10  wherein a subset of bits of the address identifies a chunk of a plurality of equal size chunks to which the address corresponds. 
     
     
         14 . The system of  claim 10  wherein at least two of the chunks of address spaces are different sizes from one another. 
     
     
         15 . The system of  claim 10  wherein at least part of the capability data is maintained in a register set in memory or in a processor location. 
     
     
         16 . The system of  claim 10  wherein the capability data for a chunk includes information that indicates whether chunk code is executable at user privilege level only, at system privilege level only or in hypervisor mode only. 
     
     
         17 . The system of  claim 10  wherein the capability data for a chunk includes information that indicates whether chunk data is accessible at user privilege level only, at system privilege level only or in hypervisor mode only. 
     
     
         18 . One or more computer-readable storage media having computer-executable instructions, which when executed perform steps, comprising enforcing code execution and data access policies at enforcement logic, including processing a request related to code execution or data access to evaluate a source of the request and an address associated with the request against policy settings to determine whether the request is allowed or denied for the source at the address associated with the request. 
     
     
         19 . The one or more computer-readable storage media of  claim 18  wherein the source of the request comprises system mode code, wherein the address corresponds to a chunk of addressable space designated as user mode only or hypervisor mode only in policy data corresponding to the code execution and data access policies, and wherein enforcing the code execution and data access policies comprises denying the request. 
     
     
         20 . The one or more computer-readable storage media of  claim 18  wherein the source of the request comprises hypervisor mode code, wherein the address corresponds to a chunk of addressable space designated as user mode only or system mode only in policy data corresponding to the code execution and data access policies, and wherein enforcing the code execution and data access policies comprises denying the request.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.