Compiling techniques for hardening software programs against branching programming exploits
US-10635823-B2 · Apr 28, 2020 · US
Dynamic binary translation to secure processes from speculative rogue cache loads
US10824717B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10824717-B2 |
| Application number | US-201816004191-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 8, 2018 |
| Priority date | Feb 6, 2018 |
| Publication date | Nov 3, 2020 |
| Grant date | Nov 3, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In accordance with embodiments of the present disclosure, a binary translator can perform address shifting on the binary code of an executing application. Address shifting serves to shift the addresses of memory operations that can access locations in the kernel address space into address locations in the user space, thus avoiding speculative access into the kernel address space.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for executing an application by a central processing unit (CPU) in a computer system, the method comprising: accessing, by the computer system, a code page of the application from a physical memory of the computer system, the accessed code page comprising computer executable instructions to be executed by the CPU; rewriting, by the computer system, the accessed code page to produce a rewritten code page, including: copying computer executable instructions in the accessed code page to the rewritten code page; and in response to a computer executable instruction being a memory operation, writing address shifting code associated with the memory operation to the rewritten code page followed by writing the memory operation to the rewritten code page, wherein for each memory operation in the rewritten code page, its associated address shifting code is inserted immediately prior in sequence to that memory operation, wherein the accessed code page is marked for non-execution, wherein the rewritten code page is marked for execution; and executing, by the computer system, computer executable instructions in the rewritten code page instead of executing computer executable instructions in the accessed code page. 2. The method of claim 1 , wherein rewriting the accessed code page further includes rewriting a memory operation to produce a replacement memory operation and writing the replacement memory operation to the rewritten code page. 3. The method of claim 1 , wherein rewriting the accessed code page to produce a rewritten code page occurs in response to a first occurrence of an access to a computer executable instruction in the accessed code page. 4. The method of claim 1 , wherein, for each memory operation, its associated address shifting code masks out a range of addresses that belong to a kernel address space in a virtual address space of the computer executable machine instructions to prevent access to a kernel address space by that memory operation. 5. A non-transitory computer-readable storage medium having stored thereon computer executable instructions, which when executed by a computer device, cause the computer device to: access a code page of the application from a physical memory of the computer system, the accessed code page comprising computer executable instructions to be executed by the CPU; rewrite the accessed code page to produce a rewritten code page, including: copying computer executable instructions in the accessed code page to the rewritten code page; and in response to a computer executable instruction being a memory operation, writing address shifting code associated with the memory operation to the rewritten code page followed by writing the memory operation to the rewritten code page, wherein for each memory operation in the rewritten code page, its associated address shifting code is inserted immediately prior in sequence to that memory operation, wherein the accessed code page is marked for non-execution, wherein the rewritten code page is marked for execution; and execute computer executable instructions in the rewritten code page instead of executing computer executable instructions in the accessed code page. 6. The non-transitory computer-readable storage medium of claim 5 , wherein rewriting the accessed code page further includes rewriting a memory operation to produce a replacement memory operation and writing the replacement memory operation to the rewritten code page. 7. The non-transitory computer-readable storage medium of claim 5 , wherein rewriting the accessed code page to produce a rewritten code page occurs in response to a first occurrence of an access to a computer executable instruction in the accessed code page. 8. The non-transitory computer-readable storage medium of claim 5 , wherein, for each memory operation, its associated address shifting code masks out a range of addresses that belong to a kernel address space in a virtual address space of the computer executable machine instructions to prevent access to a kernel address space by that memory operation. 9. An apparatus comprising: one or more computer processors; and a computer-readable storage medium comprising instructions for controlling the one or more computer processors to be operable to: access a code page of the application from a physical memory of the computer system, the accessed code page comprising computer executable instructions to be executed by the CPU; rewrite the accessed code page to produce a rewritten code page, including: copying computer executable instructions in the accessed code page to the rewritten code page; and in response to a computer executable instruction being a memory operation, writing address shifting code associated with the memory operation to the rewritten code page followed by writing the memory operation to the rewritten code page, wherein for each memory operation in the rewritten code page, its associated address shifting code is inserted immediately prior in sequence to that memory operation, wherein the accessed code page is marked for non-execution, wherein the rewritten code page is marked for execution; and execute computer executable instructions in the rewritten code page instead of executing computer executable instructions in the accessed code page. 10. The apparatus of claim 9 , wherein rewriting the accessed code page further includes rewriting a memory operation to produce a replacement memory operation and writing the replacement memory operation to the rewritten code page. 11. The apparatus of claim 9 , wherein rewriting the accessed code page to produce a rewritten code page occurs in response to a first occurrence of an access to a computer executable instruction in the accessed code page. 12. The apparatus of claim 9 , wherein, for each memory operation, its associated address shifting code masks out a range of addresses that belong to a kernel address space in a virtual address space of the computer executable machine instructions to prevent access to a kernel address space by that memory operation.
Assignees
Inventors
Classifications
Security improvement · CPC title
using adaptive policy · CPC title
Space efficiency improvement · CPC title
Emulated environment, e.g. virtual machine · CPC title
- G06F21/54Primary
by adding security routines or objects to programs · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10824717B2 cover?
- In accordance with embodiments of the present disclosure, a binary translator can perform address shifting on the binary code of an executing application. Address shifting serves to shift the addresses of memory operations that can access locations in the kernel address space into address locations in the user space, thus avoiding speculative access into the kernel address space.
- Who is the assignee on this patent?
- Vmware Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/54. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Nov 03 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).