335 results about "Memory protection" patented technology

An asynchronous message passing mechanism that allows for multiple messages to be batched for delivery between processes, while allowing for full memory protection during data transfers and a lockless mechanism for speeding up queue operation and queuing and delivering messages simultaneously.

According to one embodiment, a system comprising a dynamic analysis server comprising one or more virtual machines is disclosed, wherein the one or more virtual machines may be configured to execute certain event logic with respect to a loaded module. The virtual machines may be communicatively coupled to a virtual machine manager and a database; and rule-matching logic comprising detection logic, wherein the detection logic is configured to determine (1) whether an access source is attempting to access a protected region such as a page guarded area; and (2) determine whether the access source is from the heap. The system further comprises reporting logic that is configured to generate an alert so as to notify a user and/or network administrator of a probable application-execution hijacking attack.

A method and apparatus to protect memory consistency in a multiprocessor computing system are described, in particular relating to program code conversion such as dynamic binary translation. The exemplary system provides a memory, processors and a controller/translator unit (CTU) arranged to convert subject code into at least first and second target code portions executable on the processors. The CTU comprises an address space allocation unit to provide virtual address space regions and direct the target code portions to access the memory therethough; a shared memory detection unit to detect a request to access a shared memory area, accessible by both target code portions, and to identify at least one group of instructions in the first target code portion which access the shared memory area; and a memory protection unit to selectively apply memory consistency protection in relation to accesses to the shared memory area by the identified group of instructions.

A shared memory controller is provided for controlling access to a shared memory by a plurality of processors. At least one device includes a storage area for storing a respective address range for each of a plurality of memory regions. The at least one device further includes a permission table containing, for each of the plurality of memory regions, read and write permission data for each of the plurality of processors. A memory fault detector is coupled to the at least one device and has an input for receiving a memory access request including a memory address, a processor identification and a read/write indicator. The memory fault detector includes logic for determining whether a memory access according to the memory access request would conflict with the read and write permission data in the permission table.

A computer system includes a first portion of a Hypervisor is loaded into the memory as a part of an Extensible Firmware Interface upon start up and prior to loading of an operating system. The first portion is responsible for context switching, at least some interrupt handling, and memory protection fault handling. The first portion runs on a root level. An operating system is loaded into a highest privilege level. A second portion of the Hypervisor is loaded into operating system space together with the operating system, and runs on the highest privilege level, and is responsible for (a) servicing the VMM, (b) servicing the VMs, (c) enabling communication between code launched on non-root level with the second portion of the Hypervisor to perform security checks of trusted code portions and to enable root mode for the code portions if allowable. The VMM runs on the highest privilege level. A Virtual Machine is running under control of the VMM. Trusted code runs on non-root level. The first portion of the Hypervisor verifies trusted code portions during their loading or launch time, and the trusted code is executed on root level.

The use of a token-based memory protection technique may provide memory protection in a computer system employing memory virtualization. A token-based memory protection technique may include assigning a unique identifier to an application, process, or thread, and associating the identifier with a block of memory allocated to that application, process, or thread. Subsequent to assigning the identifier, a packet requesting access to that block of memory may include a token to be compared to the identifier. A memory controller may be configured to associate the identifier with the block of memory and to compare the token in the memory request packet to the identifier before granting access. If a second block of memory is subsequently allocated to the application, process, or thread, the identifier may be disassociated with the first block of memory and associated with the second block of memory.

A method, apparatus, and software product allow signalling toward a multi-channel memory subsystem within an application processing architecture, and routing of that signalling via a single sandbox which provides memory protection by controlling memory usage and blocking the signalling if it is unauthorized. The signalling via the sandbox leads to a plurality of different memory locations, and the sandbox is an intermediary for substantially all execution memory accesses to the multi-channel memory subsystem.

An apparatus and method for unilaterally loading a secure operating system within a multiprocessor environment are described. The method includes disregarding a received load secure region instruction when a currently active load secure region operation is detected. Otherwise, a memory protection element is directed, in response to the received load secure region instruction, to form a secure memory environment. Once directed, unauthorized read/write access to one or more protected memory regions are prohibited. Finally, a cryptographic hash value of the one or more protected memory regions is stored within a digest information repository as a secure software identification value. Once stored, outside agents may request access to a digitally signed software identification value in order to establish security verification of secure software within the secure memory environment.

In a computer system supporting execution of virtualization software and at least one instance of virtual system hardware, an interface is provided into the virtualization software to allow a program to directly define the access characteristics of its program data stored in physical memory. The technique includes providing data identifying memory pages and their access characteristics to the virtualization software which then derives the memory access characteristics from the specified data. Optionally, the program may also specify a pre-defined function to be performed upon the occurrence of a fault associated with access to an identified memory page. In this manner, programs operating both internal and external to the virtualization software can protect his memory pages, without intermediation by the operating system software.

In a disclosed embodiment, a data processing system comprises a memory protection unit (MPU); and a plurality of region descriptors associated with the MPU. Each region descriptor is associated with one of multiple subsets of the region descriptors and includes an address range, protection settings, and attributes for a respective region of memory. The subsets include data-only region descriptors, instruction-only region descriptors, and shared region descriptors. The shared region descriptors are used to access memory regions for data and instruction memory requests.

A system includes an application server that hosts a plurality of enterprise applications and stores enterprise data associated with each of the enterprise applications. A client device executes a client application that can provide access to each of the enterprise applications. The client application includes a memory protection engine that allocates a first memory location for the enterprise data transmitted to the client device so the enterprise data is accessible to each of the plurality of enterprise applications through the client application. A second allocated memory location is allocated for non-enterprise data. A mobile enterprise server transmits the enterprise data to the client device.

The invention discloses a virtual machine Xen-based active defense method, which comprises the following steps of: generating a virtual machine for a user by using Xen, and making the user perform operation in the virtual machine; simultaneously removing conventional security programs required to be installed in the virtual machine and arranging the removed security programs outside the virtual machine of a system, so that kernel modules of the security programs are invisible for rogue programs; in addition, setting a front-end drive in the virtual machine of the user to make the security modules outside the virtual machine can scan and intervene in the operation in the virtual machine, and simultaneously protecting the front-end drive by using a memory protection module in a monitor layer of the virtual machine to prevent the front-end drive from being attacked by the rogue programs. In the method, the kernel modules are arranged outside the virtual machine, and are invisible for therogue programs, thereby achieving security higher than that of a conventional security program deployment method; in addition, a para-virtualization front/rear-end drive communication way is introduced to greatly reduce system overhead caused by virtualization and make the method highly practicable.

A method and system usable in sensor networks for handling memory faults is disclosed. In order to protect the operating system of a sensor node, coarse-grained memory protection is provided by creating and enforcing an application fault domain in the data memory address space of the sensor node. The data memory accessed by the application modules is restricted to the region (which defines the application fault domain) within the data memory address space. The application modules are prevented from accessing memory outside the application fault domain through software-based run-time checks. The state belonging to the operations system is maintained outside of the application fault domain, and is thus protected from memory corruption from any application module. In order to ensure that an application module does not operate on a corrupted state, fine-grained error detection and recovery is provided within the application fault domain. Any corruption of memory within the application fault domain is detected by a run-time memory integrity verifier implemented in the operating system kernel. Recovery involves purging the corrupted state and restarting only the affected application module to operate on an uncorrupted state.