Reserving a secure address range
US-2024220425-A1 · Jul 4, 2024 · US
Kernel protection method and apparatus, and system
US2024320317A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2024320317-A1 |
| Application number | US-202418677620-A |
| Country | US |
| Kind code | A1 |
| Filing date | May 29, 2024 |
| Priority date | Nov 30, 2021 |
| Publication date | Sep 26, 2024 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A kernel protection method and apparatus, and systems are provided, which relate to the field of security technologies. The method is applied to an electronic device. The method includes: working in a first privilege, and detecting a page table modification command, where the first privilege includes the first privilege, the page table modification command is used to modify access permission data in a target page table, and the target page table is a kernel-related page table; switching from the first privilege to a second privilege, and determining, under the second privilege, whether to modify the target page table based on the page table modification command, where a permission of the second privilege is higher than that of the first privilege; and modifying the access permission data in the target page table if determining to modify the target page table.
First claim
Opening claim text (preview).
1 . A kernel protection method, wherein the method comprises: working in a first privilege, and detecting a page table modification command, wherein the first privilege comprises a kernel privilege, the page table modification command is used to modify access permission data in a target page table, and the target page table is a kernel-related page table; switching from the first privilege to a second privilege, and determining, under the second privilege, whether to modify the target page table based on the page table modification command, wherein a permission of the second privilege is higher than that of the first privilege; and modifying the access permission data in the target page table if determining to modify the target page table. 2 . The method according to claim 1 , wherein the kernel-related page table comprises at least one of the following page tables: a page table used for mapping a kernel code segment, a page table used for mapping a driver code segment, and a page table used for mapping a data segment; and the determining whether to modify the target page table based on the page table modification command comprises: determining whether the target page table is the page table used for mapping the kernel code segment, and whether the page table modification command is a preset command; and when the target page table is the page table used for mapping the kernel code segment, and the page table modification command is a preset command, determining to modify the target page table. 3 . The method according to claim 1 , wherein the method further comprises: creating first physical memory, a first page table, and a second page table under the first privilege, wherein the first page table and the second page table are stored in the first physical memory, the first page table is a page table used for mapping the first physical memory, and the second page table is a kernel-related page table. 4 . The method according to claim 3 , wherein an access permission of the first physical memory is read-only under the first privilege. 5 . The method according to claim 3 , wherein the first page table does not comprise a write permission under the first privilege, and the first page table comprises the write permission under the second privilege. 6 . The method according to claim 2 , wherein the preset command comprises an insn command. 7 . A kernel protection apparatus, comprising: unit at least one processor, configured to work in a first privilege and detect a page table modification command, wherein the first privilege comprises a kernel privilege, the page table modification command is used to modify access permission data in a target page table, and the target page table is a kernel-related page table; switch from the first privilege to a second privilege, and determine, under the second privilege, whether to modify the target page table based on the page table modification command, wherein a permission of the second privilege is higher than that of the first privilege; and modify the access permission data in the target page table if determining to modify the target page table. 8 . The apparatus according to claim 7 , wherein the kernel-related page table comprises at least one of the following page tables: a page table used for mapping a kernel code segment, a page table used for mapping a driver code segment, and a page table used for mapping a data segment; and determine whether to modify the target page table based on the page table modification command comprises: determine whether the target page table is the page table used for mapping the kernel code segment, and whether the page table modification command is a preset command; and when the target page table is the page table used for mapping the kernel code segment, and the page table modification command is a preset command, determine to modify the target page table. 9 . The apparatus according to claim 7 , wherein the at least one processor is further configured to create first physical memory, a first page table, and a second page table under the first privilege, wherein the first page table and the second page table are stored in the first physical memory, the first page table is a page table used for mapping the first physical memory, and the second page table is a kernel-related page table. 10 . The apparatus according to claim 9 , wherein an access permission of the first physical memory is read-only under the first privilege. 11 . The apparatus according to claim 9 , wherein the first page table does not comprise a write permission under the first privilege, and the first page table comprises the write permission under the second privilege. 12 . The apparatus according to claim 8 , wherein the preset command comprises an insn command. 13 . An electronic device, comprising: one or more processors; a memory; and one or more computer programs, wherein the one or more computer programs are stored in the memory; and when the one or more computer programs are executed by the one or more processors, the electronic device is enabled to perform operations comprising: working in a first privilege, and detecting a page table modification command, wherein the first privilege comprises a kernel privilege, the page table modification command is used to modify access permission data in a target page table, and the target page table is a kernel-related page table; switching from the first privilege to a second privilege, and determining, under the second privilege, whether to modify the target page table based on the page table modification command, wherein a permission of the second privilege is higher than that of the first privilege; and modifying the access permission data in the target page table if determining to modify the target page table. 14 . The electronic device according to claim 13 , wherein the kernel-related page table comprises mere at least one of the following page tables: a page table used for mapping a kernel code segment, a page table used for mapping a driver code segment, and a page table used for mapping a data segment; and the determining whether to modify the target page table based on the page table modification command comprises: determining whether the target page table is the page table used for mapping the kernel code segment, and whether the page table modification command is a preset command; and when the target page table is the page table used for mapping the kernel code segment, and the page table modification command is a preset command, determining to modify the target page table. 15 . The electronic device according to claim 13 , wherein the operations comprise method creating first physical memory, a first page table, and a second page table under the first privilege, wherein the first page table and the second page table are stored in the first physical memory, the first page table is a page table used for mapping the first physical memory, and the second page table is a kernel-related page table. 16 . The electronic device according to claim 15 , wherein an access permission of the first physical memory is read-only under the first privilege. 17 . The electronic device according to claim 15 , wherein the first page table does not comprise a write permission under the first privilege, and the first page table comprises the write permission under the second privilege. 18 . A non-transitory computer-readable storage medium, wherein the computer-readable storage medium comprises a computer program or instructions; and whe
Assignees
Inventors
Classifications
in a hierarchical protection system, e.g. privilege levels, memory rings · CPC title
Security improvement · CPC title
Access rights, e.g. capability lists, access control lists, access tables, access matrices · CPC title
using page tables, e.g. page table structures · CPC title
- G06F21/44Primary
Program or device authentication · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2024320317A1 cover?
- A kernel protection method and apparatus, and systems are provided, which relate to the field of security technologies. The method is applied to an electronic device. The method includes: working in a first privilege, and detecting a page table modification command, where the first privilege includes the first privilege, the page table modification command is used to modify access permission da…
- Who is the assignee on this patent?
- Huawei Tech Co Ltd
- What technology area does this patent fall under?
- Primary CPC classification G06F21/44. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Sep 26 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).