| 发明名称 |
ISOLATING DATA WITHIN A COMPUTER SYSTEM USING PRIVATE SHADOW MAPPINGS |
| 摘要 |
Virtualization software establishes multiple execution environments within a virtual machine, wherein software modules executing in one environment cannot access private memory of another environment. A separate set of shadow memory address mappings is maintained for each execution environment. For example, a separate shadow page table may be maintained for each execution environment. The virtualization software ensures that the shadow address mappings for one execution environment do not map to the physical memory pages that contain the private code or data of another execution environment. When execution switches from one execution environment to another, the virtualization software activates the shadow address mappings for the new execution environment. A similar approach, using separate mappings, may also be used to prevent software modules in one execution environment from accessing the private disk space or other secondary storage of another execution environment. |
| 申请公布号 |
US2016179564(A1) |
申请公布日期 |
2016.06.23 |
| 申请号 |
US201615055468 |
申请日期 |
2016.02.26 |
| 申请人 |
VMware, Inc. |
发明人 |
CHEN Xiaoxin;WALDSPURGER Carl A.;SUBRAHMANYAM Pratap |
| 分类号 |
G06F9/455 |
主分类号 |
G06F9/455 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A computer system comprising:
system hardware including a system memory; and virtualization software supporting a virtual machine (VM) and a secure application execution environment, the virtualization software making a first portion of the system memory available for access within the VM and a second portion of the system memory available for access within the secure application execution environment; and guest software executing within the VM, the guest software including a guest operating system, a first software entity and a second software entity, the second software entity also executing within the secure application execution environment, wherein: the virtualization software activates a first set of hardware address mappings that are used to map attempted memory accesses to actual physical addresses in the first portion of the system memory when the first software entity executes within the VM; the virtualization software activates a second set of hardware address mappings that are used to map attempted memory accesses to actual physical addresses in the first portion of the system memory when the second software entity executes within the VM; and the virtualization software activates a third set of hardware address mappings that are used to map attempted memory accesses to actual physical addresses in the second portion of the system memory when the second software entity executes within the secure application execution environment. |
| 地址 |
Palo Alto CA US |
