Who is the assignee on this patent?

Microsoft Technology Licensing Llc

What technology area does this patent fall under?

Primary CPC classification G06F21/554. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Feb 05 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Secure privilege level execution and access protection

US10198578B2 · US · B2

Patent metadata
Field	Value
Publication number	US-10198578-B2
Application number	US-201615369874-A
Country	US
Kind code	B2
Filing date	Dec 5, 2016
Priority date	Jun 14, 2013
Publication date	Feb 5, 2019
Grant date	Feb 5, 2019

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.

First claim

Opening claim text (preview).

What is claimed is: 1. A system for enforcing code execution and data access policies comprising: enforcement logic configured to: determine an access designation and an execution designation of a plurality of chunks, each of the plurality of chunks comprising a plurality of bits of addressable memory space and policy settings that identify one or more execution capabilities and one or more access capabilities, wherein a policy setting for a first chunk from the plurality of chunks indicates that code in the first chunk is executable by a first source and not a second source, and wherein a policy setting for a second chunk indicates that code in the second chunk is executable by the second source and not the first source; receive a request from the first source related to code execution at an address against the access designation of a chunk from the plurality of chunks corresponding to the address by accessing policy settings for the chunk; and upon determining that the chunk is the first chunk, allow the request; or upon determining that the chunk is the second chuck, deny the request. 2. The system of claim 1 , wherein the enforcement logic is incorporated in hardware or incorporated into one or more of the following: a hypervisor and system mode code, and wherein the source of the request comprises user mode code, system mode code, or hypervisor mode code. 3. The system of claim 1 , wherein the enforcement logic is further configured to: evaluate a request from a source related to data access at an address against data access information maintained for chunks of address spaces; and determine whether the address corresponds to a chunk in which the source is allowed to access data. 4. The system of claim 1 , wherein a subset of bits of the address identifies a chunk of a plurality of equal size chunks to which the address corresponds. 5. The system of claim 1 , wherein at least two of the chunks of address spaces are different sizes from one another. 6. The system of claim 1 , wherein access designations are maintained in a register set in memory or in a processor location. 7. The system of claim 1 , wherein the access designation for the plurality of chunks includes information that indicates whether chunk code is executable at user privilege level only, at system privilege level only or in hypervisor mode only. 8. The system of claim 1 , wherein the access designation for the plurality of chunks includes information that indicates whether chunk data is accessible at user privilege level only, at system privilege level only or in hypervisor mode only. 9. A method comprising: determining an access designation and an execution designation of a plurality of chunks, each of the plurality of chunks comprising a plurality of bits of addressable memory space and policy settings that identify one or more execution capabilities and one or more access capabilities, wherein a policy setting for a first chunk from the plurality of chunks indicates that code in the first chunk is executable by a first source and not a second source, and wherein a policy setting for a second chunk indicates that code in the second chunk is executable by the second source and not the first source; receiving a request from the first source related to code execution at an address against the access designation of a chunk from the plurality of chunks corresponding to the address by accessing policy settings for the chunk; and upon determining that the chunk is the first chunk, allowing the request; or upon determining that the chunk is the second chuck, denying the request. 10. The method of claim 9 , wherein the enforcement logic is incorporated in hardware or incorporated into one or more of the following: a hypervisor and system mode code, and wherein the source of the request comprises user mode code, system mode code, or hypervisor mode code. 11. The method of claim 9 , further comprising: evaluating a request from a source related to data access at an address against data access information maintained for chunks of address spaces; and determining whether the address corresponds to a chunk in which the source is allowed to access data. 12. The method of claim 9 , wherein a subset of bits of the address identifies a chunk of a plurality of equal size chunks to which the address corresponds. 13. The method of claim 9 , wherein at least two of the chunks of address spaces are different sizes from one another. 14. The method of claim 9 , wherein access designations are maintained in a register set in memory or in a processor location. 15. The method of claim 9 , wherein the access designation for the plurality of chunks includes information that indicates whether chunk code is executable or accessible at user privilege level only, at system privilege level only or in hypervisor mode only. 16. A computer-readable storage memory having computer-executable instructions that are configured, upon execution, perform operations comprising: determining an access designation and an execution designation of a plurality of chunks, each of the plurality of chunks comprising a plurality of bits of addressable memory space and policy settings that identify one or more execution capabilities and one or more access capabilities, wherein a policy setting for a first chunk from the plurality of chunks indicates that code in the first chunk is executable by a first source and not a second source, and wherein a policy setting for a second chunk indicates that code in the second chunk is executable by the second source and not the first source; receiving a request from the first source related to code execution at an address against the access designation of a chunk from the plurality of chunks corresponding to the address by accessing policy settings for the chunk; and upon determining that the chunk is the first chunk, allowing the request; or upon determining that the chunk is the second chuck, denying the request. 17. The computer-readable storage memory of claim 16 , wherein the enforcement logic is incorporated in hardware or incorporated into one or more of the following: a hypervisor and system mode code, and wherein the first source of the request comprises user mode code, system mode code, or hypervisor mode code. 18. The one or more computer-readable storage memory of claim 16 , wherein the computer-executable instructions are further configured to perform the following operations: evaluating a request from a source related to data access at an address against data access information maintained for chunks of address spaces; and determining whether the address corresponds to a chunk in which the first source is allowed to access data. 19. The computer-readable storage memory of claim 16 , wherein a subset of bits of the address identifies a chunk of a plurality of equal size chunks to which the address corresponds. 20. The computer-readable storage memory of claim 16 , wherein at least two of the chunks of address spaces are different sizes from one another, and wherein access designations are maintained in a register set in memory or in a processor location.

Assignees

Microsoft Technology Licensing Llc

Inventors

Classifications

G06F2212/1032
Reliability improvement, data loss prevention, degraded operation etc · CPC title
G06F12/1441
for a range · CPC title
G06F2212/1052
Security improvement · CPC title
G06F11/1004
to protect a block of data words, e.g. CRC or checksum (G06F11/1076 takes precedence; security arrangements for protecting computers or computer systems against unauthorized activity G06F21/00) · CPC title
G06F11/1008
in individual solid state devices (G06F11/1004 takes precedence) · CPC title

Patent family

Related publications grouped by family.

View patent family 51168389

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US10198578B2 cover?: The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or …
Who is the assignee on this patent?: Microsoft Technology Licensing Llc
What technology area does this patent fall under?: Primary CPC classification G06F21/554. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Feb 05 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).