KR101460451B1 - Apparatus and method for controlling process address space - Google Patents
Apparatus and method for controlling process address space Download PDFInfo
- Publication number
- KR101460451B1 KR101460451B1 KR1020130106995A KR20130106995A KR101460451B1 KR 101460451 B1 KR101460451 B1 KR 101460451B1 KR 1020130106995 A KR1020130106995 A KR 1020130106995A KR 20130106995 A KR20130106995 A KR 20130106995A KR 101460451 B1 KR101460451 B1 KR 101460451B1
- Authority
- KR
- South Korea
- Prior art keywords
- application program
- computer
- information
- memory
- address space
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/06—Addressing a physical block of locations, e.g. base addressing, module addressing, memory dedication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
- G06F12/10—Address translation
- G06F12/1009—Address translation using page tables, e.g. page table structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5011—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
- G06F9/5016—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
A memory management device and method for executing an application program on a computer device is disclosed. The memory management apparatus includes a memory control request unit that extracts authority information on computer resources and identification information of computer resources contained in a computer apparatus required for execution of an application program in response to an execution request for an application program, And a memory control unit for generating a process address space in which an application program and a memory address of a computer resource are mapped based on the external information and the identification information. The memory management method includes: extracting authorization information and computer resource identification information about a computer resource included in a computer apparatus required for execution of an application program according to an execution request for an application program; And creating a process address space mapping a memory address of the application program and the computer resource based on the information and the identification information.
Description
The present invention relates to an apparatus and method for controlling use of various computer resources expressed in a physical memory space of a process address space used by a user application program.
In modern operating systems, a virtual address space is created from the viewpoint of the process by using the virtual memory technique, and the data is freely loaded in the corresponding address space, and this space is divided into several parts depending on the level of use. For example, on a 32-bit Linux operating system, an application is given 4 GB of virtual address space by default, 3 GB of which is the user address space and the remaining 1 GB is the kernel address space.
The user application accesses and executes code and data in the kernel address space as needed. This is handled by address mapping, in which the contents of the actual physical memory are mapped to the user address space and the kernel address space, respectively. Here, among the address spaces mapped to the application program, the kernel address space is configured to be shared by all application programs. For example, on a 32-bit Linux operating system, the 1 GB kernel address space is shared in the virtual address space of all applications. This sharing, however, leads to unintended problems. For example, user applications with fraudulent intent may access device drivers of devices that should not be accessed, steal data, or cause problems such as system hacking through unintended execution.
This virtual memory technique is widely used to protect the memory of a computer device and provide a stable computing environment. For example, when only the actual physical memory space is used without using the virtual memory technique, a process having a capacity larger than the size of the main memory of the computer can not be loaded in the memory, and therefore, execution is impossible. A typical example of an application using the com extension of MS-DOS is physical memory only.
If the user performs a process that exceeds the size of the computer's main memory while using the computer, the user will encounter a system failure screen. Virtual memory techniques are designed to overcome these limitations.
In addition, the virtual memory technique prevents a process running in the operating system from accessing memory in an area not allocated to itself, thereby preventing a bug in the process from affecting the operation of another process, It is also responsible for preventing unauthorized access to the system.
Using the virtual memory technique, a virtual address space is created from the viewpoint of the process and is mapped to the actual physical memory space. Generally, the process address space created to execute an application consists of a space for access in user mode and a space for access in system mode. The operating system is responsible for setting up and managing the process address space entirely. Therefore, the entire operating system must be a Trusted Computing Base (TCB). If the operating system is exposed to an external attack, the security of the entire system is compromised.
SUMMARY OF THE INVENTION It is an object of the present invention to provide a method for effectively executing an application program in an environment without a device driver.
It is another object of the present invention to provide an apparatus for effectively executing an application program in an environment without a device driver.
According to an aspect of the present invention, there is provided an apparatus management apparatus for managing a memory address for executing an application program in a computer apparatus, the apparatus managing apparatus comprising: A memory control request unit for extracting rights information of the computer resources inherent to the computer device and identification information of the computer resources; and a memory control unit for requesting memory addresses of application programs and computer resources based on the privilege information and identification information outside the kernel area of the computer apparatus And a memory control unit for generating a mapped process address space.
Here, the memory management device may be located outside the kernel area of the computer device and may replace part or all of the memory management module contained in the kernel area.
Here, the memory management apparatus may further include a mapping information storage unit storing the authority information and the identification information. Further, the right information may be set before execution of the application program, or may be generated when the application program is executed.
Here, the computer resources may include at least one of a library, a kernel module, and a device driver.
Here, the privilege information may be information indicating whether the computer resource is permitted to access, read, write, or change.
Here, the identification information may include a unique identifier of the computer resource and address information of the physical memory space allocated to the computer resource. Further, the identifier may indicate the function of the computer resource.
Here, the memory control unit may generate a process address space in which an application program is mapped only to a physical memory space of a computer resource having usage rights, or may map an application program to all the computer resources inherent in the computer apparatus, The processor address space can be created by unmapping the computer resources that do not have this use right.
Here, the memory control unit may modify the page information of the process address space to change the authority information on the computer resource.
According to an aspect of the present invention, there is provided a method for managing a memory address for executing an application program in a computer device, the method comprising: A step of extracting authorization information of a computer resource embedded in the device and identification information of the computer resource; a process address mapping a memory address of the application program and a computer resource based on the privilege information and the identification information outside the kernel area of the computer device; And creating a space.
Here, the device on which the memory management method is performed may replace some or all of the memory management modules located in the kernel area, which are located outside the kernel area of the computer device.
Here, the memory management method may further include storing the right information before the step of extracting the right information and the identification information. Further, the right information may be set before execution of the application program, or may be generated when the application program is executed.
Here, the computer resources may include at least one of a library, a kernel module, and a device driver.
Here, the privilege information may be information indicating whether the computer resource is permitted to access, read, write, or change.
Here, the identification information may include a unique identifier of the computer resource and address information of the physical memory space allocated to the computer resource. Further, the identifier may indicate the function of the computer resource.
Here, the step of creating the process address space may include: generating an address space in which an application program is mapped only to a physical memory space of a computer resource having usage rights; or mapping an application program to all computer resources After that, the application can create a processor address space by unmapping the computer resources that do not have usage rights.
Also, the step of creating the process address space may modify the page information of the process address space to change the right information about the computer resource.
In the memory management apparatus and method according to the present invention, when executing an application program, the address space of the corresponding process is dynamically changed to map only a usable area of the application program, It is possible to control the use by a right of a service, that is, a module, a device driver, a user library, another application program, etc., operating in the kernel.
Also, since the configuration / management of the process address space can be performed through the third controller that is separated from the kernel area of the operating system, the entire system security can be protected even if the operating system is exposed to an external attack such as hacking.
1 is a conceptual diagram for explaining the structure of a general computer device.
2 is a conceptual diagram illustrating a structure of a computer apparatus according to an embodiment of the present invention.
3 is a conceptual diagram for explaining a memory management device and its components according to an embodiment of the present invention.
4 is a conceptual diagram for explaining a general process address space.
5 is a conceptual diagram illustrating a process address space generated as a result of process address space control according to an embodiment of the present invention.
6 is an exemplary diagram for explaining rights information on computer resources of an application program according to an embodiment of the present invention.
7 is an exemplary diagram for explaining identification information of a computer resource.
8 is an exemplary diagram for explaining process address space control using a page table.
9 is a flowchart for explaining each step of the memory management method.
While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Like reference numerals are used for like elements in describing each drawing.
The terms first, second, A, B, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. And / or < / RTI > includes any combination of a plurality of related listed items or any of a plurality of related listed items.
It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.
The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.
Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Do not.
First, the terms used in the present application are defined as follows.
Physical memory space is the space in which the physical address used to access the main memory of the computer is loaded in the address register and is accessible as such physical address. Also called Physical Address Space, it is the same as the physical memory space of the computer. One of the most representative examples of using physical memory space is a program of the com extension type of MS-DOS. The physical memory space alone can not place a process having a capacity larger than the size of the main memory of the computer in memory, . Virtual memory techniques are designed to overcome these limitations.
A kernel is a part of an operating system that performs resource allocation for a process that constitutes the operating system and a program that is executed under the control of the operating system. For example, the kernel of the Linux operating system consists of process control blocks and file systems, such as process scheduler, interprocess communication, synchronization, process space control, device drivers, and power management.
On the other hand, in order to communicate with the kernel area of the operating system and the user application, a command interpreter is required which reads the sentences inputted by the user and executes the system functions requested by the sentences. shell. That is, the operating system may be divided into a shell, which is in contact with the user application, and a kernel, which is a set of actual sub routines.
As the term used in the present invention, an authority refers to whether or not any computer resources can be used. Permission to use at this time is called authorization. Here, the computer resources include both the software and the hardware contained in the computer device. And may include various libraries, various modules in the kernel area of the operating system, device drivers, and the like.
The primary reason for managing these privileges is to ensure that only authorized users access the authorized resources to secure the data. The authorization management infrastructure may vary depending on the type of computer resources to be used and the need for rights management. For example, it is possible to manage only the access permission for arbitrary computer resources, or to manage different access rights according to a subject who accesses computer resources.
A page table is a term used when a paging technique, one of the virtual memory techniques, is used. The paging technique is a technique of organizing all the virtual memory devices into blocks of the same size, and the blocks of the same size are referred to as pages. One process has one page table. The page table lists the page number and the starting address of the physical memory allocated to that page. By referring to the page table, the physical memory address allocated to the process can be known.
Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings.
1 is a conceptual diagram for explaining the structure of a general computer device.
Referring to FIG. 1, a
If it is assumed that such hardware is at the bottom, it is the
It may be referred to as a shell to provide an interface for communicating with the user application program to the
2 is a conceptual diagram illustrating a structure of a computer apparatus according to an embodiment of the present invention.
Referring to FIG. 2, the case where the
In the
Thus, it is possible to directly modify the source code of the Linux kernel, or to modify or delete some or all of the source code contents related to the
At this time, the
3 is a conceptual diagram for explaining a
Referring to FIG. 3, the
An authority for a certain user application to use computer resources in the computer device can be managed by the
The
The
In the
4 is a conceptual diagram for explaining a general process address space.
Referring to FIG. 4, the
In the first
In the second
Here, the kernel address area of the first process and the kernel address area of the second process are configured to be completely identical, and the same situation arises even if a third process is created. Also, among the user address areas of the first process, the same area is also mapped in the library 1.
The interval indicated by X in the two process address spaces is an interval in which actual memory mapping is not performed, and a page fault occurs in the access request for the corresponding interval.
FIG. 5 is a conceptual diagram illustrating a process address space generated as a result of process address space control according to an embodiment of the present invention. FIG. Fig.
5 to 6 and FIG. 3 described above, the
The memory
The authority information may be set before execution of the application program, or may be generated when the application program is executed.
When an application is executed, a process necessary for executing the application is created. This process is constituted by a sub-process. In some cases, an application runs solely on its own, but in most cases it is often run using other computer resources, and the process to run other computer resources is called a subprocess. For example, if an application is to read and update a database, a process is required to open the database and write to that database instance. That is, the database process is required as a subprocess.
In addition, if an application program broadcasts a message over a network to which it belongs via an Ethernet card, a process for driving the Ethernet card is required, and a sub-process of the device driver of the Ethernet card is required .
The
The computer resources may include at least one of a library, a kernel module, and a device driver.
The computer resources may be mapped by allocating a certain area to the actual
An application can use these computer resources according to the authority information. Typical applications use multiple libraries, kernel modules, and device drivers.
The authority information may be information indicating whether the computer resource is allowed to access, read, write, or change.
Referring to FIG. 5, the address space of the first process is configured by mapping a memory in the
Suppose you want to satisfy the following program execution constraints: Application 1 should not use kernel module 1, nor should device 2 be used. In order to satisfy such a restriction, the first
This privilege information may be set differently depending on the application program. Referring to FIG. 6, there is shown an example in which an application program can have rights information about a computer resource. In the case of FIG. 6A, only the access permission to computer resources is allowed. Access is granted to the Device 1 driver and User Library 1, but not to the Device 2 driver.
On the other hand, the authority information can be managed in a more detailed form as in the case of FIG. 6B. Referring to FIG. 6B, some application programs are allowed only for the device 1 driver, and only for the device 2 driver access and read. On the other hand, for user library 1, access, read, write, and modification are allowed.
In this case, the term access may be defined as the application knowing the existence and address of any computer resource. That is, according to FIG. 6B, although the application program knows the existence of the device 1 driver and the physical memory address but can not read the contents thereof, the device 1 driver resource can not be used eventually.
In the case of read, write, and change, appropriate authority definition can be made according to the type of computer resources. The definition of authority may not be limited to the above four cases. For example, it is possible to define permissions such as desorption and removal. Database backup If your application uses a backup device driver, you can define and use permissions such as detach and remove data cartridges.
7 is an exemplary diagram for explaining identification information of a computer resource.
Referring to FIG. 7, the identification information may be information including a unique identifier of the computer resource and address information of the
The identifier of the identification information may be a specific functional unit such as a " device 1 driver " or may be a form in which a functional meaning such as a universal unique identifier (UUID) or a MAC (Media Access Control) May also be possible. Referring to FIGS. 7A and 7B, since the physical memory area for each identifier is recorded, it is possible to dynamically change the process address space after confirming the value requested by the memory
The
With continued reference to FIG. 7 and FIG. 5 referred to above, there are two possible ways to create a process address space that includes a mapping to computer resources. In the first method, the memory
In the second method, the memory
The second method differs from the first method in that, from the application point of view, the second way is to know the existence of computer resources of identifiers that do not have usage rights. That is, according to the first method, the application program may not know the existence of the computer resource of the identifier having no usage right. However, according to the second method, the physical memory address of the computer resource of the identifier having no usage right is unknown, The existence itself becomes recognizable.
FIG. 8 is an exemplary diagram for explaining process address space control using the page table 520. FIG.
Referring to FIG. 8, the
9 is a flowchart for explaining each step of the memory management method.
Referring to FIG. 9, a memory management method for executing an application program in a computer device includes: a step of generating, in response to an execution request for an application program, rights information on a computer resource embedded in the computer device necessary for execution of the application program, (S910) of creating a process address space in which a memory address of an application program and a computer resource are mapped based on the privilege information and the identification information outside the kernel area of the computer device (S920) .
When an application is requested to be executed, a process necessary for executing an application program is created, and this process includes sub-processes. The right of any user application to use the computer resources in the computer device can be managed by the computer device, and such rights information can be extracted. In addition, identification information of computer resources can be extracted. Based on the extracted credential information and the identification information, the application program can be executed and the generated processes and sub-processes can be mapped to computer resources. The process address space including this mapping information can be created in the virtual memory space of the computer device.
The device on which the memory management method is performed can replace some or all of the memory management modules located in the kernel area outside the kernel area of the computer device. Using this approach, the memory management portion defined by the developer may not be compromised despite the unintended corruption of the kernel area.
The memory management method may further include storing the authority information (S930) before the step of extracting the authority information and the identification information. When the step of storing the authority information is performed, the memory control may be requested by extracting the stored authority information and transmitting the authority information.
The authority information may be set before execution of the application program, or may be generated upon execution of the application program. It is possible to prescribe and store which application program has the authority for the computer resource, and when the application program is executed, the generated sub-process can be analyzed to generate the privilege information. Such authority information may be stored in a computer device.
The computer resources may include at least one of a library, a kernel module, and a device driver.
The authority information may be information indicating whether the computer resource is allowed to access, read, write, or change. The authorization information can be set differently depending on the application program. Referring to FIG. 6, it is shown as an example how an application program can have rights information about a computer resource. In the case of FIG. 6A, only the access permission to computer resources is allowed. Access is granted to the Device 1 driver and User Library 1, but not to the Device 2 driver.
On the other hand, the authority information can be managed in a more detailed form as in the case of FIG. 6B. Referring to FIG. 6B, some application programs are allowed only for the device 1 driver, and only for the device 2 driver access and read. On the other hand, for user library 1, access, read, write, and modification are allowed.
The identification information may include a unique identifier of the computer resource and address information of the physical memory space allocated to the computer resource. The identifier may also be indicative of the function of the computer resource.
The step of creating a process address space may include creating a process address space in which an application maps only to a physical memory space of a computer resource for which the application has usage rights or mapping an application program to all of the computer resources inherent in the computer device, A program can create a processor address space by unmapping computer resources that do not have usage rights.
The second method differs from the first method in that, from the application point of view, the second way is to know the existence of computer resources of identifiers that do not have usage rights. That is, according to the first method, the application program may not know the existence of the computer resource of the identifier having no usage right. However, according to the second method, the physical memory address of the computer resource of the identifier having no usage right is unknown, The existence itself becomes recognizable.
The step of creating the process address space may modify the privilege information for the computer resource by modifying the page table of the process address space. When using the paging scheme among the virtual memory schemes, a process address space can be created through the page table. In the physical memory address area requiring access control, do.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the present invention as defined by the following claims It can be understood that
10: computer device 20: computer device
100: memory management apparatus 110: process generation unit
120: memory control request unit 130: memory control unit
140: mapping information storage unit 200: kernel area
210: memory management module 300: physical memory space
310: first process address space 320: second process address space
400: physical memory space 410: first process address space
420: second process address space 500: physical memory space
510: process address space 520: page table
Claims (20)
A memory control request unit for extracting rights information of computer resources inherent to the computer apparatus necessary for execution of the application program and identification information of the computer resource according to an execution request for the application program; And
And a memory controller for generating a process address space in which a memory address of the application program and the computer resource are mapped based on the privilege information and the identification information outside a kernel area of the computer device.
The memory management apparatus
Wherein the memory management module is located outside the kernel area of the computer device and replaces a part or all of the memory management module in the kernel area.
The memory management apparatus
And a mapping information storage unit for storing the authorization information and the identification information.
The rights information
Wherein the application program is previously set before execution of the application program, or can be generated upon execution of the application program.
The computer resource
A library, a kernel module, and a device driver.
The rights information
Wherein the information is information indicating whether the computer resource is permitted to access, read, write, or change.
The identification information
A unique identifier of the computer resource; And
And address information of a physical memory space allocated to the computer resource.
The identifier
And displays the function of the computer resource.
The memory control unit
The application program creating the process address space mapped only to a physical memory space of the computer resource having usage rights,
Wherein the application program creates the process address space by mapping the application program to all of the computer resources inherent in the computer device and then releasing the mapping for the computer resource for which the application program does not have usage rights. .
The memory control unit
And modify the page table of the process address space to change the authority information for the computer resource.
Extracting authorization information for the computer resources and identification information of the computer resources required for execution of the application program in accordance with an execution request for the application program; And
Generating a process address space in which a memory address of the application program and the computer resource are mapped based on the privilege information and the identification information outside a kernel area of the computer device.
The apparatus in which the memory management method is performed
Wherein the memory management module is located outside the kernel area of the computer device and replaces some or all of the memory management module in the kernel area.
The memory management method
Before the step of extracting the right information and the identification information,
Further comprising the step of storing the authorization information.
The rights information
Wherein the application program is previously set before execution of the application program, or can be generated when the application program is executed.
The computer resource
A library, a kernel module, and a device driver.
The rights information
Wherein the information is information indicating whether the computer resource is permitted to access, read, write, or change.
The identification information
A unique identifier of the computer resource; And
And address information of a physical memory space allocated to the computer resource.
The identifier
And displaying the function of the computer resource.
The step of creating the process address space
The application program creating the process address space mapped only to a physical memory space of the computer resource having usage rights,
Mapping the application program to all of the computer resources inherent in the computer device and then creating the process address space by releasing the mapping of computer resources that do not have usage rights to the application program.
The step of creating the process address space
And modify the page table of the process address space to change the privilege information for the computer resource.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020130106995A KR101460451B1 (en) | 2013-09-06 | 2013-09-06 | Apparatus and method for controlling process address space |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020130106995A KR101460451B1 (en) | 2013-09-06 | 2013-09-06 | Apparatus and method for controlling process address space |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101460451B1 true KR101460451B1 (en) | 2014-11-12 |
Family
ID=52287708
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020130106995A KR101460451B1 (en) | 2013-09-06 | 2013-09-06 | Apparatus and method for controlling process address space |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101460451B1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20160068480A (en) * | 2014-12-05 | 2016-06-15 | 삼성전자주식회사 | Method and apparatus for protecting resource of application program |
KR20160113483A (en) * | 2015-03-20 | 2016-09-29 | 한국전자통신연구원 | Apparatus and Method for updating a snapshot image |
KR20180066335A (en) * | 2016-12-07 | 2018-06-19 | 현대오트론 주식회사 | Apparatus for processing process |
CN113608745A (en) * | 2021-08-11 | 2021-11-05 | 平安国际智慧城市科技股份有限公司 | Method for initializing user authority and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20080089002A (en) * | 2007-03-30 | 2008-10-06 | 삼성전자주식회사 | Method of controlling memory access |
KR20080104591A (en) * | 2007-05-28 | 2008-12-03 | 삼성전자주식회사 | Memory protection method and apparatus |
KR101155123B1 (en) * | 2010-10-26 | 2012-06-11 | 한국과학기술원 | Apparatus and method for protecting memory of application from failure of kernel code |
-
2013
- 2013-09-06 KR KR1020130106995A patent/KR101460451B1/en active IP Right Grant
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20080089002A (en) * | 2007-03-30 | 2008-10-06 | 삼성전자주식회사 | Method of controlling memory access |
KR20080104591A (en) * | 2007-05-28 | 2008-12-03 | 삼성전자주식회사 | Memory protection method and apparatus |
KR101155123B1 (en) * | 2010-10-26 | 2012-06-11 | 한국과학기술원 | Apparatus and method for protecting memory of application from failure of kernel code |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20160068480A (en) * | 2014-12-05 | 2016-06-15 | 삼성전자주식회사 | Method and apparatus for protecting resource of application program |
KR102297476B1 (en) * | 2014-12-05 | 2021-09-02 | 삼성전자주식회사 | Method and apparatus for protecting resource of application program |
KR20160113483A (en) * | 2015-03-20 | 2016-09-29 | 한국전자통신연구원 | Apparatus and Method for updating a snapshot image |
KR102011059B1 (en) * | 2015-03-20 | 2019-08-16 | 한국전자통신연구원 | Apparatus and Method for updating a snapshot image |
KR20180066335A (en) * | 2016-12-07 | 2018-06-19 | 현대오트론 주식회사 | Apparatus for processing process |
KR101887786B1 (en) * | 2016-12-07 | 2018-08-13 | 현대오트론 주식회사 | Apparatus for processing process |
CN113608745A (en) * | 2021-08-11 | 2021-11-05 | 平安国际智慧城市科技股份有限公司 | Method for initializing user authority and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109901911B (en) | Information setting method, control method, device and related equipment | |
EP2385479B1 (en) | Information flow tracking and protection | |
KR101477080B1 (en) | Memory access security management | |
CN100580642C (en) | Universal serial bus storage device and access control method thereof | |
US20180082077A1 (en) | Creating distinct user spaces through user identifiers | |
CN108062242B (en) | Computing system for securely executing secure applications in rich execution environments | |
US7975117B2 (en) | Enforcing isolation among plural operating systems | |
CN100570601C (en) | Switch the method and the computer system of the file that will visit based on confidential mode | |
US10255088B2 (en) | Modification of write-protected memory using code patching | |
US8359467B2 (en) | Access control system and method | |
EP3842973B1 (en) | Security schemes for multiple trusted-execution-environments (tees) and multiple rich-execution-environments (rees) | |
KR20090010872A (en) | Method and apparatus for managing access privileges in a cldc osgi environment | |
KR100931706B1 (en) | Method and apparatus for physical address-based security for determining target security | |
KR101460451B1 (en) | Apparatus and method for controlling process address space | |
KR20130000253A (en) | Apparatus and method for controlling memory access in virtualized system | |
US9032401B2 (en) | Virtual computer system having a first virtual computer that executes a protected process, a second virtual computer that executes an unprotected process, and a hypervisor that controls the first and second virtual computers | |
JP5338435B2 (en) | Information processing program, information processing apparatus, and information processing method | |
CN106845174B (en) | Application authority management method and system under security system | |
US8689288B2 (en) | Apparatus and method for protecting system in virtualized environment | |
CN112749397A (en) | System and method | |
US20170317832A1 (en) | Virtual Secure Elements in Computing Systems based on ARM Processors | |
CN117693737A (en) | Protection of processes for setting up subdirectories and network interfaces for container instances | |
CN114065257A (en) | Address space protection method, protection device, equipment and storage medium | |
KR101535792B1 (en) | Apparatus for configuring operating system and method thereof | |
KR100941743B1 (en) | Method and apparatus for multi-table accessing of input/output devices using target security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20171024 Year of fee payment: 4 |
|
FPAY | Annual fee payment |
Payment date: 20181113 Year of fee payment: 5 |
|
FPAY | Annual fee payment |
Payment date: 20190925 Year of fee payment: 6 |