Copy equivalent protection using secure page flipping for software components within an execution environment

摘要

Embodiments of copy equivalent protection using secure page flipping for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor (VMM), Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. In an embodiment, an embedded VM is allowed to directly manipulate page table mappings so that, even without running the VMM or obtaining VMXRoot privilege, the embedded VM can directly flip pages of memory into its direct/exclusive control and back. Other embodiments may be described and claimed.

主权项

1. A system, comprising:
at least one processor; an embedded virtual machine (VM) hosted by a platform including the at least one processor; and a guest VM, wherein both the embedded VM and the guest VM have mappings for a physical page table in at least one memory coupled to the at least one processor and included on the platform, wherein the embedded VM has equal or better permissions to the physical page table than the guest VM, wherein the embedded VM is configured to flip permissions on one or more pages in the physical page table for the guest VM such that the permissions are flipped from ‘read and write’ to ‘read-only’; wherein exclusive control of the embedded VM to the physical page table occurs without invoking a virtual machine monitor (VMM).