TW201710942A - Execution control device, execution control method, and execution control program - Google Patents

Execution control device, execution control method, and execution control program Download PDF

Info

Publication number
TW201710942A
TW201710942A TW104135742A TW104135742A TW201710942A TW 201710942 A TW201710942 A TW 201710942A TW 104135742 A TW104135742 A TW 104135742A TW 104135742 A TW104135742 A TW 104135742A TW 201710942 A TW201710942 A TW 201710942A
Authority
TW
Taiwan
Prior art keywords
memory
user
program
system call
unit
Prior art date
Application number
TW104135742A
Other languages
Chinese (zh)
Other versions
TWI626557B (en
Inventor
Takashi Sakakura
Original Assignee
Mitsubishi Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp filed Critical Mitsubishi Electric Corp
Publication of TW201710942A publication Critical patent/TW201710942A/en
Application granted granted Critical
Publication of TWI626557B publication Critical patent/TWI626557B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)
  • Memory System Of A Hierarchy Structure (AREA)

Abstract

This execution control device (100) is provided with a determination unit (120) and a control unit (130). When a memory operation system call has been issued by a process activated by a user, the determination unit (120) determines whether the issuing user is the same as the user who has activated a process to which is allocated the memory region to be operated on by the issued memory operation system call. A memory operation system call is a system call that is issued to an operating system by a user-activated process in order to operate on a memory region. The control unit (130) avoids the execution of the issued memory operation system call if the determination unit (120) determines that the issuing user is different from the user who has activated the process to which the memory region is allocated.

Description

執行控制裝置和執行控制方法以及執行控制程式產品 Execution control device and execution control method and execution control program product

本發明係關於一種執行控制裝置和執行控制方法以及執行控制程式產品。 The present invention relates to an execution control device and an execution control method and an execution control program product.

近年來,一種被稱為雲端(cloud),以網際網路連接為前提而提供電腦資源的服務已廣泛地滲透擴散。以服務的形態而言,已知有提供網頁應用程式(web application)本身的SaaS(Software as a Service,軟體即服務)、提供應用程式之開發平台(platform)的PaaS(Platform as a Service,平台即服務)、提供虛擬機器的IaaS(Infrastructure as a Service,基礎設施即服務)等。 In recent years, a service called cloud, which provides computer resources on the premise of Internet connection, has spread widely. In terms of the form of the service, there is known a SaaS (Software as a Service) that provides a web application itself, and a PaaS (Platform as a Service) platform that provides an application development platform (platform). That is, the service), the IaaS (Infrastructure as a Service) that provides the virtual machine, and the like.

通常,在雲端供應商(cloud vendor)與其顧客之間,係締結一種被稱為SLA(Service Level Agreement,服務等級協議),關於核款、服務的可靠性、安全性(security)等的契約。然而,卻不能完全否定具有惡意的系統管理員(administrator)的存在。系統管理員係為具有系統上所有權限的超級使用者(super user)。因此,即使在契約上已擔保了顧客的儲存資料(storage data)或記憶體資料(memory data)的隱密性,也會有被具有惡意的系統管理員竊取資料、或竄改資料的可能性。 Usually, between the cloud vendor and its customers, a contract called SLA (Service Level Agreement) is issued, which relates to the payment, the reliability of the service, the security, and the like. However, the existence of a malicious system administrator cannot be completely denied. The system administrator is a super user with all privileges on the system. Therefore, even if the confidentiality of the customer's storage data or memory data is guaranteed on the contract, there is a possibility that the malicious system administrator will steal the data or tamper with the data.

由IaaS所提供的虛擬機器,對於由該虛擬機器所運作的作業系統(operating system)而言,只不過是應用程式而已。因此,只要是作業系統的超級使用者,就可取得虛擬機器所使用之記憶體區域的資料。 The virtual machine provided by IaaS is just an application for the operating system operated by the virtual machine. Therefore, as long as it is a super user of the operating system, the data of the memory area used by the virtual machine can be obtained.

在專利文獻1中,已揭示一種在從應用程式對作業系統發行系統呼叫(system call)時,驗證該應用程式是否具有接受該系統呼叫之服務的權限的技術。 Patent Document 1 discloses a technique for verifying whether or not an application has a right to accept a service of a call of the system when a system call is issued from an application to the operating system.

[先前技術文獻] [Previous Technical Literature] [專利文獻] [Patent Literature]

專利文獻1:日本特開2006-331137號公報 Patent Document 1: Japanese Laid-Open Patent Publication No. 2006-331137

在以往的技術中,無法因應具有惡意的系統管理員的存在。即使在專利文獻1所記載的技術中,也依然未排除超級使用者可存取系統所有資源的可能性。 In the prior art, it was impossible to cope with the existence of a malicious system administrator. Even in the technique described in Patent Document 1, the possibility that the super user can access all the resources of the system is not excluded.

本發明之目的為提供一種即使是超級使用者,也無法存取應予以保護之記憶體區域之資料的系統。 It is an object of the present invention to provide a system that does not have access to the data of the memory area to be protected even by a super user.

本發明之一態樣的執行控制裝置係包括:判斷部,其係判斷從經由使用者所啟動之程序(process)對於作業系統所發行的系統呼叫中,經啟動為了記憶體區域之操作所發行的系統呼叫,亦即記憶體操作系統呼叫之發行來源之程序後的發行來源使用者,是否與經啟動被所發行之記憶體操作系統呼叫所操作之記憶體區域之分配目的地之程序後的 分配目的地使用者相同;及控制部,其係中止經由被前述判斷部判斷為前述發行來源使用者與前述分配目的地使用者不同之記憶體操作系統呼叫的執行。 An execution control device according to an aspect of the present invention includes: a determination unit that determines that a system call issued by a user is issued for a system call issued by the user, and is activated for operation of the memory region. System call, that is, the issue source user after the program of the source of the memory operating system call, is the program after the program of the distribution destination of the memory area operated by the memory operating system call initiated by the issued system The control destination is the same as the control unit, and the execution of the memory operating system call determined by the determination unit to be different from the distribution destination user is determined by the determination unit.

在本發明中,經啟動為了記憶體區域之操作所發行之系統呼叫之發行來源之程序後的使用者,若與經啟動該記憶體區域之分配目的地之程序後的使用者不同,則該系統呼叫不會被執行。因此,依據本發明,可提供一種即使是超級使用者,也無法存取應予以保護之記憶體區域之資料的系統。 In the present invention, the user after starting the program for issuing the system call issued for the operation of the memory area is different from the user after starting the program of the distribution destination of the memory area. System calls will not be executed. Therefore, according to the present invention, it is possible to provide a system that cannot access data of a memory area to be protected even for a super user.

100‧‧‧執行控制裝置 100‧‧‧Execution control device

101‧‧‧處理器 101‧‧‧ processor

102‧‧‧MMU 102‧‧‧MMU

103‧‧‧TLB 103‧‧‧TLB

104‧‧‧記憶體控制器 104‧‧‧ memory controller

105‧‧‧記憶體 105‧‧‧ memory

106‧‧‧輔助記憶裝置 106‧‧‧Auxiliary memory device

107‧‧‧通信裝置 107‧‧‧Communication device

110‧‧‧提供部 110‧‧‧Provisional Department

120‧‧‧判斷部 120‧‧‧Decision Department

130‧‧‧控制部 130‧‧‧Control Department

140‧‧‧記憶部 140‧‧‧Memory Department

150‧‧‧管理部 150‧‧‧Management Department

160‧‧‧認證部 160‧‧‧Authority Department

200‧‧‧虛擬位址 200‧‧‧virtual address

201‧‧‧索引 201‧‧‧ index

202‧‧‧索引 202‧‧‧ index

203‧‧‧偏移量 203‧‧‧ offset

210‧‧‧頁目錄表 210‧‧‧Page Table of Contents

211‧‧‧頁表入口 211‧‧‧ page entry

220‧‧‧頁表 220‧‧‧ page

221‧‧‧頁表入口 221‧‧‧ page entry

222‧‧‧Inhibit旗標 222‧‧‧Inhibit flag

230‧‧‧控制暫存器 230‧‧‧Control register

300‧‧‧實體位址 300‧‧‧ physical address

第1圖係顯示實施形態1之執行控制裝置之構成的方塊圖。 Fig. 1 is a block diagram showing the configuration of an execution control device according to the first embodiment.

第2圖係顯示實施形態1之執行控制裝置之構成的流程圖。 Fig. 2 is a flow chart showing the configuration of the execution control device of the first embodiment.

第3圖係顯示實施形態2之執行控制裝置之構成的方塊圖。 Fig. 3 is a block diagram showing the configuration of an execution control device of the second embodiment.

第4圖係顯示實施形態2之虛擬機器之安裝例的圖。 Fig. 4 is a view showing an example of installation of a virtual machine in the second embodiment.

第5圖係顯示實施形態2之頁表入口之構成例的圖。 Fig. 5 is a view showing a configuration example of a page table entry of the second embodiment.

第6圖係顯示實施形態2之執行控制裝置之動作的流程圖。 Fig. 6 is a flow chart showing the operation of the execution control device of the second embodiment.

以下使用圖式來說明本發明的實施形態。另外, 各圖中,對於相同或相等的部分,係賦予相同符號。在實施形態的說明中,關於相同或相等的部分,係適當省略或簡化其說明。 Hereinafter, embodiments of the present invention will be described using the drawings. In addition, In the respective drawings, the same reference numerals are given to the same or equivalent parts. In the description of the embodiments, the same or equivalent portions are appropriately omitted or simplified.

實施形態1 Embodiment 1

茲依序說明本實施形態之裝置的構成、本實施形態之裝置的動作、及本實施形態的功效。 The configuration of the apparatus of the present embodiment, the operation of the apparatus of the present embodiment, and the effects of the present embodiment will be described in order.

* * *構成的說明* * * * * * Description of the composition * * *

茲參照第1圖來說明本實施形態之裝置之執行控制裝置100的構成。 The configuration of the execution control device 100 of the apparatus of the present embodiment will be described with reference to Fig. 1 .

執行控制裝置100係包括:提供部110;判斷部120;及控制部130。 The execution control device 100 includes a providing unit 110, a determining unit 120, and a control unit 130.

在本實施形態中,執行控制裝置100係電腦。具體而言,執行控制裝置100係為提供IaaS的主電腦(host computer)。提供部110、判斷部120、及控制部130的功能係藉由軟體(software)來實現。 In the present embodiment, the execution control device 100 is a computer. Specifically, the execution control device 100 is a host computer that provides IaaS. The functions of the providing unit 110, the determining unit 120, and the control unit 130 are realized by software.

執行控制裝置100係包括:處理器(processor)101、MMU(Memory Management Unit,記憶體管理單元)102、TLB(Translation Lookaside Buffer,轉譯後備緩衝區)103、記憶體控制器(memory controller)104、記憶體105、輔助記憶裝置106、及通信裝置107之類的硬體。處理器101係透過信號線而與其他硬體連接,用以控制此等其他硬體。 The execution control device 100 includes a processor 101, an MMU (Memory Management Unit) 102, a TLB (Translation Lookaside Buffer) 103, and a memory controller 104. Hardware such as memory 105, auxiliary memory device 106, and communication device 107. The processor 101 is connected to other hardware through a signal line for controlling these other hardware.

處理器101係為進行處理的IC(Integrated Circuit,積體電路)。具體而言,處理器101係CPU(Central Processing Unit,中央處理單元)。 The processor 101 is an IC (Integrated Circuit) that performs processing. Specifically, the processor 101 is a CPU (Central Processing Unit).

MMU102係為進行屬於虛擬機器之位址的虛擬位址與屬於記憶體105之位址的實體位址之轉換的IC。 The MMU 102 is an IC that performs conversion of a virtual address belonging to an address of a virtual machine and a physical address belonging to an address of the memory 105.

TLB103係為用以將虛擬位址與實體位址之映射(mapping)資訊予以暫時儲存的緩衝記憶體(Buffer Memory)。 The TLB 103 is a buffer memory for temporarily storing mapping information of virtual addresses and physical addresses.

記憶體控制器104係為用以管理藉由處理器101寫入記憶體105之資料的流程、及藉由處理器101從記憶體105所讀取之資料的流程的IC。 The memory controller 104 is an IC for managing the flow of data written by the processor 101 to the memory 105 and the flow of data read by the processor 101 from the memory 105.

記憶體105係主記憶體(main memory),亦即實體記憶體。具體而言,記憶體105係RAM(Random Access Memory,隨機存取記憶體)。 The memory 105 is a main memory, that is, a physical memory. Specifically, the memory 105 is a RAM (Random Access Memory).

輔助記憶裝置106係至少一部分作為虛擬機器而產生作用的記憶裝置。具體而言,輔助記憶裝置106係快閃記憶體(flash memory)、或HDD(Hard Disk Drive,硬碟驅動器)。 The auxiliary memory device 106 is a memory device that functions as a virtual machine at least in part. Specifically, the auxiliary memory device 106 is a flash memory or a HDD (Hard Disk Drive).

通信裝置107係包含接收資料的接收器(receiver)及發送資料的發送器(transmitter)。具體而言,通信裝置107係通信晶片(chip)或NIC(Network Interface Card,網路介面卡)。 The communication device 107 includes a receiver that receives data and a transmitter that transmits data. Specifically, the communication device 107 is a communication chip or a NIC (Network Interface Card).

執行控制裝置100亦可包括輸入裝置及顯示器(display)之至少任一者作為硬體。 The execution control device 100 may also include at least one of an input device and a display as a hardware.

輸入裝置係用來將資料從外部輸入於記憶體105。具體而言,輸入裝置係滑鼠(mouse)、鍵盤(keyboard)、或觸控板(touch panel)。 The input device is used to input data from the outside to the memory 105. Specifically, the input device is a mouse, a keyboard, or a touch panel.

顯示器係用來顯示記憶於記憶體105的資料。具 體而言,顯示器係LCD(Liquid Crystal Display,液晶顯示器)。 The display is used to display the data stored in the memory 105. With In general, the display is an LCD (Liquid Crystal Display).

在輔助記憶裝置106中,係記憶有程式群。在程式群中,係包含實現提供部110之功能的程式。此程式係被載入於記憶體105,且被讀入於處理器101,並藉由處理器101來執行。在程式群中,亦包含實現判斷部120及控制部130之功能的作業系統(operating system)。作業系統之至少一部分被載入於記憶體105,處理器101係一面執行作業系統,一面執行實現提供部110之功能的程式。 In the auxiliary memory device 106, a program group is stored. In the program group, a program that implements the functions of the providing unit 110 is included. This program is loaded into the memory 105 and is read into the processor 101 and executed by the processor 101. The program group also includes an operating system that implements the functions of the determining unit 120 and the control unit 130. At least a part of the operating system is loaded in the memory 105, and the processor 101 executes a program for realizing the function of the providing unit 110 while executing the operating system.

作業系統之一般使用者,亦即非超級使用者雖可追蹤自身之程序的虛擬記憶體區域,但無法追蹤其他使用者之程序的虛擬記憶體區域。此外,非超級使用者雖可在自身的程序間共享虛擬記憶體區域,但在自身的程序與其他使用者的程序之間、或在其他使用者的程序之間無法共享虛擬記憶體區域。在IaaS之主作業系統上運作的虛擬機器,亦為此種非超級使用者的程序。 The general user of the operating system, that is, the non-superuser, can track the virtual memory area of its own program, but cannot track the virtual memory area of other users' programs. In addition, although the non-superuser can share the virtual memory area between their own programs, the virtual memory area cannot be shared between the own program and other user programs or between other user programs. The virtual machine operating on the main operating system of IaaS is also the program of such non-super users.

以往只要是超級使用者,亦容許追蹤任一程序之的虛擬記憶體區域,而且,也容許在任一程序間共享虛擬記憶體區域。然而,這樣一來,也就可觀察IaaS之主作業系統之系統管理員在主作業系統上所運作之任一虛擬機器的記憶體資料。 In the past, as long as it is a super user, it is also allowed to track the virtual memory area of any program, and it is also allowed to share the virtual memory area between any of the programs. However, in this way, it is possible to observe the memory data of any virtual machine operated by the system administrator of the main operating system of the IaaS on the main operating system.

如後所述,在本實施形態中,即使是超級使用者,亦被禁止追蹤其他使用者之程序的虛擬記憶體區域,而且,也被禁止在其他使用者的程序間共享虛擬記憶體區域。因此,可以保護在IaaS之主作業系統上運作之虛擬機器的記憶體資 料,避開具有惡意的系統管理員。 As will be described later, in the present embodiment, even a super user is prohibited from tracking the virtual memory area of the program of another user, and it is also prohibited to share the virtual memory area between programs of other users. Therefore, it is possible to protect the memory of the virtual machine operating on the main operating system of IaaS. Material, avoid malicious system administrators.

為了使程序追蹤該程序之虛擬記憶體區域,或在與該程序相同之使用者的其他程序之間共享虛擬記憶體區域,需要變更作業系統所管理的資料。在處理器101中,係構成為可設定被稱為保護模式(protected mode)的執行模式,以使被執行作為程序的應用程式不會破壞作業系統所管理的資料。藉由設定保護模式,會明確區分出作業系統運作的虛擬位址空間、及應用程式運作的虛擬位址空間。因此,乃提供了一種在保護模式中由應用程式對作業系統的空間進行存取之所謂系統呼叫的手段。 In order for the program to track the virtual memory area of the program or to share the virtual memory area between other programs of the same user as the program, it is necessary to change the data managed by the operating system. In the processor 101, an execution mode called a protected mode can be set so that an application executed as a program does not destroy data managed by the operating system. By setting the protection mode, the virtual address space of the operating system and the virtual address space of the application operation are clearly distinguished. Accordingly, a means for so-called system calls in which the application accesses the space of the operating system in the protected mode is provided.

作為一般使用者之程序運作的應用程式係藉由發行系統呼叫,而可利用追蹤該程序之虛擬記憶體區域的功能、及在與該程序相同之使用者的其他程序之間共享虛擬記憶體區域的功能之類的作業系統的各種功能。 An application that operates as a program for a general user can use the function of the virtual memory area to track the program and share the virtual memory area between other programs of the same user as the program. The various functions of the operating system such as the function.

另外,執行控制裝置100係可僅包括1個處理器101,亦可包括複數個處理器101。複數個處理器101亦可協同程式群一併執行。 In addition, the execution control device 100 may include only one processor 101, and may also include a plurality of processors 101. A plurality of processors 101 can also be executed in conjunction with the program group.

顯示提供部110、判斷部120、及控制部130之處理之結果的資訊、資料、信號值、以及變數值,係被記憶於輔助記憶裝置106、記憶體105、或處理器101內的暫存器(registor)或快閃記憶體。 Information, data, signal values, and variable values indicating the results of the processing by the providing unit 110, the determining unit 120, and the control unit 130 are temporarily stored in the auxiliary storage device 106, the memory 105, or the processor 101. Registor or flash memory.

程式群亦可被記憶於磁碟、軟碟(flexible disk)、光磁碟、光碟(Compact Disk)、藍光(註冊商標)磁碟、DVD(Digital Versatile Disc,數位化多功能光碟)等的可攜型記錄 媒體。 The program group can also be memorized on a magnetic disk, a flexible disk, a magnetic disk, a compact disk, a Blu-ray (registered trademark) disk, a DVD (Digital Versatile Disc), or the like. Carrying record media.

茲將處理器101、MMU102、TLB103、記憶體控制器104、記憶體105統稱為「處理線路(processing circuitry)」。換言之,提供部110、判斷部120、控制部130之類的「部」的功能,係藉由處理線路來實現。 The processor 101, the MMU 102, the TLB 103, the memory controller 104, and the memory 105 are collectively referred to as "processing circuitry." In other words, the functions of the "part" such as the providing unit 110, the determining unit 120, and the control unit 130 are realized by the processing line.

「部」亦可改讀為「步驟」或「順序」或「處理」。電腦程式產品(亦簡稱為程式產品)不限定於外觀形式之物,而為載入有可由電腦讀取的程式者。 "Min" can also be read as "Step" or "Order" or "Process". A computer program product (also referred to as a program product) is not limited to a form of appearance, but is loaded with a program that can be read by a computer.

* * *動作的說明* * * * * * Description of the action * * *

茲參照第2圖來說明執行控制裝置100的動作。執行控制裝置100的動作係相當於本實施形態的執行控制方法。執行控制裝置100的動作係相當於本實施形態之執行控制程式的處理順序。 The operation of the execution control device 100 will be described with reference to Fig. 2 . The operation of the execution control device 100 corresponds to the execution control method of the present embodiment. The operation of the execution control device 100 corresponds to the processing sequence of the execution control program of the present embodiment.

步驟S11至步驟S15的處理,係在至少由提供部110提供令使用者利用作為處理器動作之虛擬機器的服務時實施。在本實施形態中,提供部110係提供IaaS作為該種服務。具體而言,提供部110係使用處理器101使虛擬機器在作業系統上運作。提供部110係使用通信裝置107而經由網際網路接收發送資料,藉此令使用者利用運作中的虛擬機器。 The processing of steps S11 to S15 is performed when at least the providing unit 110 provides a service for the user to use the virtual machine operating as a processor. In the present embodiment, the providing unit 110 provides IaaS as such a service. Specifically, the providing unit 110 uses the processor 101 to operate the virtual machine on the operating system. The providing unit 110 receives the transmission data via the Internet using the communication device 107, thereby enabling the user to utilize the virtual machine in operation.

在步驟S11中,判斷部120係待機至偵測到系統呼叫的發行為止。具體而言,判斷部120係由於因系統呼叫的發行而在處理器101產生插斷而啟動。判斷部120係由於啟動而偵測系統呼叫已被發行。此外,判斷部120係從處理器101的暫存器至少取得所發行之系統呼叫的編號、該系統呼叫的引 數、及經啟動該系統呼叫之發行來源之程序後的使用者的識別符。 In step S11, the determination unit 120 waits until the issuance of the system call is detected. Specifically, the determination unit 120 is activated by the processor 101 to generate an interrupt due to the issuance of the system call. The judging unit 120 detects that the system call has been issued due to the activation. Further, the judging unit 120 acquires at least the number of the issued system call and the reference of the system call from the register of the processor 101. The number and the identifier of the user after starting the program for the source of the system call.

在經判斷部120偵測到系統呼叫的發行時,流程前進至步驟S12。 When the judgment unit 120 detects the issuance of the system call, the flow advances to step S12.

在步驟S12中,判斷部120係判斷在步驟S11中偵測到發行的系統呼叫是否為記憶體操作系統呼叫。所謂記憶體操作系統呼叫係指從經由使用者所啟動之程序對於作業系統所發行的系統呼叫中,為了記憶體區域之操作所發行的系統呼叫。具體而言,判斷部120係比較在步驟S11所取得之系統呼叫的編號與記憶體操作系統呼叫的編號,且將比較結果輸出作為布林值(boolean value)。茲假設顯示編號為一致的布林值為「1」,在輸出「1」的情況下,判斷部120即會判斷為所發行的系統呼叫為記憶體操作系統呼叫。另一方面,在輸出「0」的情況下,判斷部120即會判斷為所發行的系統呼叫非為記憶體操作系統呼叫。 In step S12, the determination unit 120 determines whether the system call detected in step S11 is a memory operating system call. The memory operating system call refers to a system call issued for the operation of the memory area in a system call issued to the operating system by a program activated by the user. Specifically, the determination unit 120 compares the number of the system call acquired in step S11 with the number of the memory operating system call, and outputs the comparison result as a boolean value. It is assumed that the Boolean value of the display number is "1", and when the output "1" is output, the determination unit 120 determines that the issued system call is a memory operating system call. On the other hand, when "0" is output, the determination unit 120 determines that the issued system call is not a memory operating system call.

在經判斷部120判斷為所發行的系統呼叫為記憶體操作系統呼叫的情況下,流程前進至步驟S13。若非為該情況下,則流程前進至步驟S14。 When the determination unit 120 determines that the issued system call is a memory operating system call, the flow advances to step S13. If not, the flow advances to step S14.

在步驟S13中,判斷部120係判斷經啟動記憶體操作系統呼叫之發行來源的程序後的發行來源使用者,是否與經啟動被所發行之記憶體操作系統呼叫所操作之記憶體區域的分配目的地的程序後的分配目的地使用者相同。具體而言,判斷部120係從在步驟S11所取得之系統呼叫的引數,取得被記憶體操作系統呼叫所操作之記憶體區域的虛擬位址。在 TLB103中,係依每一虛擬位址空間儲存有分配目的地之程序的識別符,以作為先前所述之映射資訊的一部分。判斷部120係使用處理器101且透過MMU102而取得被儲存在TLB103作為包含所取得之虛擬位址之虛擬位址空間之分配目的地之識別符之程序的識別符。判斷部120係從所取得之程序的識別符,特別指定屬於經啟動該程序後之使用者的分配目的地使用者的識別符。判斷部120係比較在步驟S11所取得之使用者的識別符,亦即發行來源使用者的識別符、及經特別指定後之分配目的地使用者的識別符,且將比較結果輸出作為布林值。茲假設顯示識別符為一致的布林值為「1」時,在輸出「1」的情況下,判斷部120即會判斷為發行來源使用者與分配目的地使用者相同。另一方面,在輸出「0」的情況下,判斷部120即會判斷為發行來源使用者與分配目的地使用者不同。 In step S13, the determination unit 120 determines whether or not the distribution source user after the program for issuing the source of the memory operating system call has been activated, and whether or not the memory area operated by the memory system call issued by the activated memory is allocated. The destination user after the destination program is the same. Specifically, the determination unit 120 acquires the virtual address of the memory area operated by the memory operating system call from the argument of the system call acquired in step S11. in In the TLB 103, the identifier of the program of the distribution destination is stored in each virtual address space as part of the mapping information previously described. The determination unit 120 uses the processor 101 to acquire the identifier of the program stored in the TLB 103 as the identifier of the allocation destination of the virtual address space of the acquired virtual address through the MMU 102. The determination unit 120 specifies the identifier of the user who is assigned to the user who has started the program from the identifier of the acquired program. The determination unit 120 compares the identifier of the user acquired in step S11, that is, the identifier of the source user and the identifier of the user who has been specifically assigned, and outputs the comparison result as Brin. value. If the Boolean value of the display identifier is "1", if the output "1" is output, the determination unit 120 determines that the issue source user is the same as the distribution destination user. On the other hand, when the output "0" is output, the determination unit 120 determines that the issue source user is different from the assignment destination user.

在經判斷部120判斷為發行來源使用者與分配目的地使用者相同的情況下,流程前進至步驟S14。若非為該情況下,則流程前進至步驟S15。 When the determination unit 120 determines that the issue source user is the same as the distribution destination user, the flow advances to step S14. If not, the flow advances to step S15.

在步驟S14中,控制部130係進行正常處理。具體而言,控制部130係令處理器執行被判斷部120判斷為非為記憶體操作系統呼叫的系統呼叫。此外,控制部130係令處理器101亦執行經判斷部120判斷為發行來源使用者與分配目的地使用者相同的記憶體操作系統呼叫。亦即,控制部130係中止經判斷部120判斷為發行來源使用者與分配目的地使用者不同的記憶體操作系統呼叫的執行。 In step S14, the control unit 130 performs normal processing. Specifically, the control unit 130 causes the processor to execute a system call that is determined by the determination unit 120 to be not a memory operating system call. Further, the control unit 130 causes the processor 101 to also execute a memory operating system call determined by the determination unit 120 to be the same as the distribution source user and the distribution destination user. In other words, the control unit 130 suspends execution of the memory operating system call determined by the determination unit 120 to be different from the distribution destination user.

在步驟S15中,控制部130係進行錯誤(error) 處理。具體而言,控制部130係即使發行來源使用者為具有作業系統之管理者權限的超級使用者,亦不令處理器101執行經判斷部120判斷為發行來源使用者與分配目的地使用者不同的記憶體操作系統呼叫。在本實施形態中,控制部130係強制結束經判斷部120判斷為發行來源使用者與分配目的地使用者不同的記憶體操作系統呼叫之發行來源的程序。亦即,控制部130係刪除經判斷部120判斷為發行來源使用者與分配目的地使用者不同的記憶體操作系統呼叫之發行來源的程序。 In step S15, the control unit 130 performs an error. deal with. Specifically, the control unit 130 does not cause the processor 101 to execute the judgment unit 120 to determine that the issue source user is different from the distribution destination user even if the issue source user is a super user having the administrator authority of the work system. Memory operating system call. In the present embodiment, the control unit 130 forcibly ends the program of the source of the memory operating system call determined by the determination unit 120 to be different from the distribution destination user. In other words, the control unit 130 deletes the program of the source of the memory operating system call determined by the determination unit 120 to be different from the distribution destination user.

* * *實施形態之功效的說明* * * * * * Description of the effects of the implementation form * * *

在本實施形態中,經啟動為了記憶體區域之操作所發行之系統呼叫之發行來源的程序後的使用者,只要與經啟動該記憶體區域之分配目的地之程序後的使用者不同,該系統呼叫就不會被執行。因此,依據本實施形態,可提供一種即使是超級使用者,也無法存取應予以保護之記憶體區域之資料的系統。 In the present embodiment, the user who has started the program for issuing the system call issued for the operation of the memory area is different from the user who has activated the program of the distribution destination of the memory area. System calls will not be executed. Therefore, according to the present embodiment, it is possible to provide a system that cannot access data of a memory area to be protected even for a super user.

在本實施形態中,不僅可阻止被分配有記憶體區域之使用者以外之使用者對於該記憶體區域的非法存取,還可阻止具有惡意的超級使用者對於該記憶體區域的存取。因此,可提供一種安全性高的服務。由於被分配有記憶體區域之使用者所進行之該記憶體區域的追蹤、共享等的操作會被正常實施,因此會維持服務的便利性。 In the present embodiment, it is possible to prevent unauthorized access by the user other than the user to whom the memory area is allocated to the memory area, and to prevent access by the malicious super user to the memory area. Therefore, a highly secure service can be provided. Since the operation of tracking, sharing, and the like of the memory area by the user to whom the memory area is allocated is normally performed, the convenience of the service is maintained.

在本實施形態中,在關於記憶體區域之追蹤、共享之類的記憶體管理之系統呼叫之處理中的權限查核(check)中,藉由排除設超級使用者為「具有權限」的邏輯,可保護虛擬機器的記憶體資料,而避開具有惡意的超級使用者。 In the present embodiment, in the check of the authority in the processing of the system call for memory management such as tracking and sharing of the memory area, by excluding the logic that the super user has "permission", Protects the virtual machine's memory data while avoiding malicious superusers.

另外,判斷部120亦可僅在步驟S11中偵測到記憶體操作系統呼叫對於被分配於虛擬記憶體之記憶體區域的發行時,才在步驟S13判斷發行來源使用者是否與分配目的地使用者相同。即使該情形,亦至少可保護虛擬機器所使用之記憶體區域的資料。 In addition, the determining unit 120 may determine whether the issue source user is used with the distribution destination in step S13 only when it is detected in step S11 that the memory operating system call is issued for the memory area allocated to the virtual memory. The same. Even in this case, at least the data of the memory area used by the virtual machine can be protected.

* * *其他構成* * * * * *Other composition * * *

執行控制裝置100並不限定於藉由執行虛擬機器作為程序而提供IaaS的主電腦,只要是執行任意的程序的電腦即可。亦即,亦可採用執行控制裝置100不包括提供部110的構成作為本實施形態的變形例。 The execution control device 100 is not limited to a host computer that provides an IaaS by executing a virtual machine as a program, and may be any computer that executes an arbitrary program. In other words, a configuration in which the execution control device 100 does not include the supply unit 110 may be employed as a modification of the embodiment.

實施形態2 Embodiment 2

在實施形態1中,係藉由作業系統所管理的使用者帳戶(user account),來控制對於虛擬機器所使用之記憶體區域的存取。亦即,實施形態1係利用使用者管理機構來保護虛擬機器的記憶體資料者。 In the first embodiment, access to the memory area used by the virtual machine is controlled by a user account managed by the operating system. That is, in the first embodiment, the user management means is used to protect the memory material of the virtual machine.

在一般的網頁伺服器(web server)中,若可連接網際網路,任何人都可以進行存取。因此,在網頁服務中,對使用者所認可之作業系統的權限等級(level)係被設定為受到極大限制。因此,在銀行等所提供的網頁服務中,係因應使用者的要求,提供安全存取帳款系列系統的手段。具體而言,除軟體鍵盤(software keyboard)或密碼(password)外,還提供對於隨機變數使用雜湊碼(hashcode)等之嚴格的認證機構。 In a general web server, anyone can access the Internet if they can connect to the Internet. Therefore, in the web service, the level of authority of the operating system recognized by the user is set to be extremely limited. Therefore, in the web service provided by the bank or the like, a means for providing a secure access account series system is provided in response to the user's request. Specifically, in addition to a software keyboard or a password, a strict authentication mechanism that uses a hash code or the like for a random variable is provided.

在本實施形態中,亦提供一種進行程序之認證的認證機構,以作為安全存取虛擬機器所使用之記憶體區域的手 段。在記憶體管理機構中,係導入用以利用該認證機構的架構。亦即,本實施形態係利用認證機構與記憶體管理機構,來保護虛擬機器之記憶體資料者。 In the present embodiment, an authentication mechanism for performing program authentication is also provided as a hand for securely accessing a memory area used by a virtual machine. segment. In the memory management organization, an architecture for utilizing the certification authority is introduced. That is, in the present embodiment, the memory device of the virtual machine is protected by the authentication means and the memory management means.

茲依序說明本實施形態之裝置的構成、本實施形態之裝置的動作、本實施形態的功效。主要說明與實施形態1的差異。 The configuration of the apparatus of the present embodiment, the operation of the apparatus of the present embodiment, and the effects of the present embodiment will be described in order. The difference from Embodiment 1 will be mainly described.

* * *構成的說明* * * * * * Description of the composition * * *

茲參照第3圖來說明本實施形態之裝置之執行控制裝置100的構成。 The configuration of the execution control device 100 of the apparatus of the present embodiment will be described with reference to Fig. 3 .

執行控制裝置100係與實施形態1同樣包括提供部110、判斷部120、及控制部130。在本實施形態中,執行控制裝置100係進一步包括記憶部140、管理部150、及認證部160。另外,執行控制裝置100亦可不包括判斷部120。 Similarly to the first embodiment, the execution control device 100 includes the providing unit 110, the determining unit 120, and the control unit 130. In the present embodiment, the execution control device 100 further includes a storage unit 140, a management unit 150, and an authentication unit 160. In addition, the execution control device 100 may not include the determination unit 120.

記憶部140係藉由TLB103來實現。 The memory unit 140 is realized by the TLB 103.

管理部150係藉由MMU102來實現。 The management unit 150 is implemented by the MMU 102.

認證部160的功能係藉由軟體來實現。具體而言,認證部160的功能係與控制部130的功能同樣地藉由作業系統來實現。 The function of the authentication unit 160 is implemented by software. Specifically, the function of the authentication unit 160 is realized by the operating system in the same manner as the function of the control unit 130.

茲參照第4圖來說明虛擬記憶體的安裝例。 An example of the installation of the virtual memory will be described with reference to FIG.

一旦當處理器101的狀態(state)成為保護模式時,處理器101即會使用虛擬記憶體的虛擬位址200來執行作業系統及應用程式。 Once the state of the processor 101 becomes the protected mode, the processor 101 uses the virtual address of the virtual memory 200 to execute the operating system and applications.

虛擬位址200係處理器101為了在虛擬記憶體上進行命命的執行、資料的參照、以及資料的更新所使用的位 址。虛擬位址200係由對於頁目錄表(page directory table)210的索引(index)201、對於頁表(page table)220的索引202、及偏移量(offset)203所構成。在本例中,對於頁目錄表210的索引201為10位元(bit),對於頁表220的索引202為10位元,偏移量203則為12位元。亦即,虛擬位址200為32位元。 The virtual address 200 is a bit used by the processor 101 to perform the execution of the life memory, the reference of the data, and the update of the data on the virtual memory. site. The virtual address 200 is composed of an index 201 for a page directory table 210, an index 202 for a page table 220, and an offset 203. In this example, the index 201 for the page directory table 210 is 10 bits, the index 202 for the page table 220 is 10 bits, and the offset 203 is 12 bits. That is, the virtual address 200 is 32 bits.

頁目錄表210係用以儲存頁表入口211(PDE)的排列。 The page directory table 210 is used to store the arrangement of the page table entry 211 (PDE).

頁表220係用以儲存頁表入口221(PTE)的排列。頁表入口221係相當於虛擬位址200與輸出於記憶體匯流排之實體位址300的映射資訊。 The page table 220 is used to store the arrangement of the page table entry 221 (PTE). The page table entry 221 is equivalent to the mapping information of the virtual address 200 and the physical address 300 outputted to the memory bus.

藉由操作處理器101的控制暫存器230(CR3),處理器101的狀態轉換至保護模式。一旦當處理器101的狀態轉換時,作業系統即根據虛擬位址200而參照頁目錄表210及頁表220。 By operating the control register 230 (CR3) of the processor 101, the state of the processor 101 transitions to the protected mode. Once the state of the processor 101 transitions, the operating system refers to the page directory table 210 and the page table 220 in accordance with the virtual address 200.

虛擬位址200與實體位址300之映射的處置(handling),係藉由MMU102來進行。在包括近年的L1至L3之快取(cashe)的CPU中,記憶體存取成為性能上極大的的代價(penalty)。此在MMU102上亦復相同。因此,屬於虛擬位址200與實體位址300之映射資訊的頁表入口221被快取至TLB103。 The handling of the mapping of the virtual address 200 to the physical address 300 is performed by the MMU 102. In a CPU including a recent L1 to L3 cashe, memory access becomes a performance penalty. This is also the same on the MMU102. Therefore, the page table entry 221 belonging to the mapping information of the virtual address 200 and the physical address 300 is cached to the TLB 103.

CPU的時脈(clock)成為數千兆赫(gigahertz)的現在,記憶體存取也高速至1奈米秒以下,快取錯失(cashe miss)在性能上的代價變得非常大。TLB103的快取錯失亦復 相同。TLB103與CPU快取相當於記憶體105的位址與其內容的關係,因此兩者係以硬佈線(hard-wired)來安裝。 The clock of the CPU becomes a gigahertz now, and the memory access is also as fast as 1 nanosecond or less. The cost of the casher miss becomes very large. TLB103's cache misses the same. The TLB 103 and CPU cache are equivalent to the relationship between the address of the memory 105 and its contents, so the two are mounted by hard-wired.

茲參照第5圖來說明頁表入口221的構成例。 An example of the configuration of the page table entry 221 will be described with reference to Fig. 5.

頁表入口221除了以往為「Ignored」的位元9至位元11中之1個位元成為Inhibit旗標(flag)222的點外,均為與以往相同的構成。Inhibit旗標222係用以顯示是否禁止從虛擬位址200變換為實體位址300的旗標。在本例中,位元11雖成為Inhibit旗標222,但其他位元亦可成為Inhibit旗標222。 The page table entry 221 has the same configuration as the conventional one except that one of the bits 9 to 11 of the "Ignored" is the point of the Inhibit flag 222. The Inhibit flag 222 is used to indicate whether to prohibit the conversion from the virtual address 200 to the flag of the physical address 300. In this example, bit 11 becomes Inhibit flag 222, but other bits may also become Inhibit flag 222.

只要Inhibit旗標222成為開啟(on),MMU102即在將虛擬位址200映射於實體位址300時,將例外狀況(exception)通知處理器101。作業系統係在重新確保記憶體區域時,設Inhibit旗標222為開啟。 As long as the Inhibit flag 222 is turned "on", the MMU 102 notifies the processor 101 of the exception when mapping the virtual address 200 to the physical address 300. The operating system is set to open the Inhibit flag 222 when re-guaranteeing the memory area.

* * *動作的說明* * * * * * Description of the action * * *

茲參照第6圖說明執行控制裝置100的動作。執行控制裝置100的動作係相當於本實施形態的執行控制方法。執行控制裝置100的動作係相當於本實施形態之執行控制程式的處理順序。 The operation of the control device 100 will be described with reference to Fig. 6. The operation of the execution control device 100 corresponds to the execution control method of the present embodiment. The operation of the execution control device 100 corresponds to the processing sequence of the execution control program of the present embodiment.

如前所述,TLB103,亦即記憶部140係依屬於虛擬記憶體之記憶體區域的每一頁,記憶頁表入口221。在各頁的頁表入口221中,係包含顯示是否禁止變換為對應各頁之實體記憶體之位址的Inhibit旗標222。亦即,在各個頁表入口221中,係包含顯示是否禁止從虛擬位址200變換為實體位址300的Inhibit旗標222。 As described above, the TLB 103, that is, the memory unit 140 is affixed to each page of the memory area of the virtual memory, and memorizes the page table entry 221. In the page table entry 221 of each page, an Inhibit flag 222 indicating whether or not to prohibit conversion to the address of the physical memory corresponding to each page is included. That is, in each page table entry 221, an Inhibit flag 222 indicating whether to prohibit conversion from the virtual address 200 to the physical address 300 is included.

MMU102,亦即管理部150係在1頁被分配於1 個程序時,將該1頁的頁表入口221寫入於記憶部140。在該1頁的頁表入口221中,係包含顯示禁止變換為對應該1頁之實體記憶體之位址的Inhibit旗標222。亦即,管理部150係在重新將頁表入口221寫入於記憶部140時,設該頁表入口221中所含的Inhibit旗標222為開啟。 The MMU 102, that is, the management unit 150 is assigned to 1 on one page. In the case of one program, the page entry 221 of the one page is written in the memory unit 140. In the page table entry 221 of the one page, an Inhibit flag 222 indicating that the conversion to the address corresponding to the physical memory of one page is prohibited is included. In other words, when the management unit 150 rewrites the page table entry 221 to the storage unit 140, the management unit 150 sets the Inhibit flag 222 included in the page table entry 221 to ON.

管理部150係在被要求對於虛擬記憶體的存取,且經由被要求該存取之要求目的地頁之頁表入口221的Inhibit旗標222,禁止了變換為對應於要求目的地頁之實體記憶體的位址時,啟動第6圖所示的例外處理。亦即,管理部150係在被要求從虛擬位址200變換為實體位址300時,參照從該虛擬位址200所特別指定之頁表入口221的Inhibit旗標222。再者,只要Inhibit旗標222成為開啟,則管理部150就啟動例外處理。另一方面,只要Inhibit旗標222成為關閉(off),則管理部150就進行從虛擬位址200變換為實體位址300,且更新要求目的地頁的頁表入口221。具體而言,管理部150係將要求目的地頁之頁表入口221中所含之顯示是否有對於要求目的地頁的存取的旗標進行更新。 The management unit 150 prohibits the conversion to the entity corresponding to the requested destination page by the Inhibit flag 222 that is required to access the virtual memory and via the page table entry 221 of the requested destination page that is requested for the access. When the address of the memory is activated, the exception processing shown in Fig. 6 is started. That is, the management unit 150 refers to the Inhibit flag 222 of the page table entry 221 specified from the virtual address 200 when it is required to be converted from the virtual address 200 to the physical address 300. Furthermore, as long as the Inhibit flag 222 is turned on, the management unit 150 starts the exception processing. On the other hand, as long as the Inhibit flag 222 is off, the management unit 150 performs conversion from the virtual address 200 to the physical address 300, and updates the page table entry 221 of the request destination page. Specifically, the management unit 150 updates the flag included in the page table entry 221 of the request destination page whether or not there is a flag for accessing the requested destination page.

在步驟S21至步驟S23中,認證部160係進行被分配有要求目的地頁之程序的認證。具體而言,在步驟S21中,認證部160係取得例外狀況產生之程序的所保持的雜湊鍵(hash key)與認證資料。在步驟S22中,認證部160係運算在步驟S21中所取得之認證資料的雜湊值。在步驟S23中,認證部160係比較在步驟S22中所運算的雜湊值、及在步驟S21中所取得的雜湊鍵。只要雜湊值與雜湊鍵一致,經由認證部160 所進行的認證即會成功,流程即前進至步驟S24。另一方面,若雜湊值與雜湊鍵不一致,則經由認證部160進行的認證即會失敗,流程則前進至步驟S25。 In steps S21 to S23, the authentication unit 160 performs authentication of the program to which the request destination page is assigned. Specifically, in step S21, the authentication unit 160 acquires the held hash key and the authentication material of the program in which the exception condition is generated. In step S22, the authenticating unit 160 calculates the hash value of the authentication material acquired in step S21. In step S23, the authenticating unit 160 compares the hash value calculated in step S22 with the hash key acquired in step S21. As long as the hash value coincides with the hash key, the authentication unit 160 is passed. The authentication performed will be successful, and the flow proceeds to step S24. On the other hand, if the hash value does not match the hash key, the authentication by the authentication unit 160 will fail, and the flow proceeds to step S25.

在步驟S24中,控制部130係更新要求目的地頁之頁表入口221的Inhibit旗標222。具體而言,控制部130係將要求目的地頁之頁表入口221的Inhibit旗標222,更新為顯示許可變換為對應要求目的地頁之實體記憶體的位址的Inhibit旗標222。亦即,控制部130係設要求目的地頁之頁表入口221的Inhibit旗標222為關閉。之後,例外處理結束,管理部150進行從虛擬位址200變換為實體位址300,且更新要求目的地頁的頁表入口221。具體而言,管理部150係將要求目的地頁之頁表入口221中所含之顯示是否有對於要求目的地頁的存取的旗標進行更新。 In step S24, the control unit 130 updates the Inhibit flag 222 of the page table entry 221 of the request destination page. Specifically, the control unit 130 updates the Inhibit flag 222 of the page table entry 221 of the request destination page to the Inhibit flag 222 in which the display permission is converted into the address of the physical memory corresponding to the requested destination page. That is, the control unit 130 sets the Inhibit flag 222 of the page table entry 221 of the request destination page to be off. Thereafter, the exception processing ends, and the management unit 150 performs conversion from the virtual address 200 to the physical address 300, and updates the page table entry 221 of the request destination page. Specifically, the management unit 150 updates the flag included in the page table entry 221 of the request destination page whether or not there is a flag for accessing the requested destination page.

在步驟S25中,控制部130係判斷為例外狀況產生後的程序已進行了非法存取,且強制結束該程序。亦即,控制部130係刪除經由認證部160所進行之認證失敗的程序。 In step S25, the control unit 130 determines that the program after the exception condition has been generated has been illegally accessed, and the program is forcibly terminated. That is, the control unit 130 deletes the program that has failed the authentication by the authentication unit 160.

* * *實施形態之效果的說明* * * * * * Description of the effect of the implementation form * * *

在本實施形態中,認證部160係進行被分配虛擬記憶體之記憶體區域之程序的認證。管理部150係中止從被分配於經由認證部160所進行之認證失敗之程序之記憶體區域的位址變換為實體記憶體的位址。因此,依據本實施形態,可提供一種安全存取應予以保護之記憶體區域之資料的系統。 In the present embodiment, the authentication unit 160 performs authentication of the program to which the memory area of the virtual memory is allocated. The management unit 150 suspends the conversion of the address of the memory region allocated to the program failed to be authenticated by the authentication unit 160 into the address of the physical memory. Therefore, according to the present embodiment, it is possible to provide a system for securely accessing data of a memory area to be protected.

在本實施形態中,經由管理部150被寫入於記憶部140之頁表入口221之Inhibit旗標222的初期(default) 設定為開啟。控制部130係僅將經由管理部150所寫入之頁表入口221中之被分配於經由認證部160進行之認證成功之程序之頁之頁表入口221的Inhibit旗標222進行更新。因此,例外處理異常結束時,Inhibit旗標222仍會開啟,要求目的地頁的資料會被確實保護。 In the present embodiment, the management unit 150 is written in the initial stage of the Inhibit flag 222 of the page table entry 221 of the storage unit 140. Set to On. The control unit 130 updates only the Inhibit flag 222 of the page table entry 221 of the page assigned to the page of the program successfully authenticated by the authentication unit 160 via the page table entry 221 written by the management unit 150. Therefore, when the exception handling ends abnormally, the Inhibit flag 222 will still be turned on, and the data of the destination page will be surely protected.

在本實施形態中,當進行記憶體區域的追蹤或共享時,複數個TLB入口被登錄於相同的資料。任一種情形,在任一個程序執行記憶體區域之釋放的情況下,該程序都會執行該TLB入口的選中(shootdown),且維持其一貫性。 In the present embodiment, when the memory area is tracked or shared, a plurality of TLB entries are registered in the same material. In either case, in the event that any of the program execution memory regions are released, the program will perform the shootdown of the TLB entry and maintain its consistency.

本實施形態亦可適用於SMP(Symmetric MultiProcessor,對稱式多處理器)型的系統。在系統的最佳化設計中,某處理器101變更了頁表220時,亦可採用進行所有處理器101之TLB選中之粒度較低的安裝。或者,亦可採用依TLB入口單位進行各處理器101之TLB選中的安裝。該等安裝係根據系統的總體性能目標而選擇者,並非排除本實施形態的應用。 This embodiment can also be applied to a SMP (Symmetric MultiProcessor) type system. In the optimized design of the system, when a certain processor 101 changes the page table 220, it may also adopt a lower granularity installation for selecting the TLB of all the processors 101. Alternatively, the TLB selected installation of each processor 101 may be performed in accordance with the TLB entry unit. These installations are selected based on the overall performance goals of the system and are not intended to exclude the application of this embodiment.

以上雖已說明了本發明的實施形態,但亦可將該等實施形態中之數個予以組合進行實施。或者,亦可將該等實施形態中之任一個或數個予以局部地實施。具體而言,亦可僅採用在該等實施形態的說明中說明作為「部」者中的任一個,亦可採用數個的任意的組合。另外,本發明並不限定於該等實施形態,亦可視需要進行各種變更。 Although the embodiments of the present invention have been described above, a plurality of the embodiments may be combined and implemented. Alternatively, any one or several of the embodiments may be partially implemented. Specifically, any one of the "parts" may be described in the description of the embodiments, and any combination of several may be employed. Further, the present invention is not limited to the embodiments, and various modifications may be made as needed.

100‧‧‧執行控制裝置 100‧‧‧Execution control device

101‧‧‧處理器 101‧‧‧ processor

102‧‧‧MMU 102‧‧‧MMU

103‧‧‧TLB 103‧‧‧TLB

104‧‧‧記憶體控制器 104‧‧‧ memory controller

105‧‧‧記憶體 105‧‧‧ memory

106‧‧‧輔助記憶裝置 106‧‧‧Auxiliary memory device

107‧‧‧通信裝置 107‧‧‧Communication device

110‧‧‧提供部 110‧‧‧Provisional Department

120‧‧‧判斷部 120‧‧‧Decision Department

130‧‧‧控制部 130‧‧‧Control Department

Claims (10)

一種執行控制裝置,包括:判斷部,其係判斷從經由使用者所啟動之程序對於作業系統所發行的系統呼叫中,經啟動為了記憶體區域之操作所發行的系統呼叫,亦即記憶體操作系統呼叫之發行來源之程序後的發行來源使用者,是否與經啟動被所發行之記憶體操作系統呼叫所操作之記憶體區域之分配目的地之程序後的分配目的地使用者相同;及控制部,其係中止經由被前述判斷部判斷為前述發行來源使用者與前述分配目的地使用者不同之記憶體操作系統呼叫的執行。 An execution control device comprising: a determination unit that determines a system call issued by an operation for a memory area, that is, a memory operation, from a system call issued to a work system by a program initiated by a user Whether the distribution source user after the program of the system call is issued is the same as the distribution destination user after starting the program of the distribution destination of the memory area operated by the issued memory operating system call; and control The department stops the execution of the memory operating system call determined by the determination unit to be different from the distribution destination user. 根據申請專利範圍第1項之執行控制裝置,其中前述控制部係令處理器執行經由被前述判斷部判斷為前述發行來源使用者與前述分配目的地使用者相同的記憶體操作系統呼叫,且即使前述發行來源使用者為具有前述作業系統之管理者權限的超級使用者,亦不令前述處理器執行經由被前述判斷部判斷為前述發行來源使用者與前述分配目的地使用者不同的記憶體操作系統呼叫。 The execution control device according to the first aspect of the invention, wherein the control unit causes the processor to execute a memory operating system call that is determined by the determination unit to be the same as the distribution source user and the distribution destination user, and even if The above-mentioned distribution source user is a super user having the authority of the administrator of the operating system, and does not cause the processor to execute a memory operation determined by the determination unit to be different from the distribution source user and the distribution destination user. System call. 根據申請專利範圍第1或2項之執行控制裝置,其中前述控制部係刪除經由被前述判斷部判斷為前述發行來源使用者與前述分配目的地使用者不同之記憶體操作系統呼叫之發行來源的程序。 The execution control device according to claim 1 or 2, wherein the control unit deletes a distribution source of a memory operating system call that is determined by the determination unit to be different from the distribution destination user program. 根據申請專利範圍第1項之執行控制裝置,係進一步包括提供部,其係提供令使用者利用作為程序動作之虛擬機器 的服務;前述判斷部係在偵測到記憶體操作系統呼叫對於分配於前述虛擬機器之記憶體區域的發行時,判斷前述發行來源使用者是否與前述分配目的地使用者相同。 The execution control device according to item 1 of the scope of the patent application further includes a providing unit that provides a virtual machine for the user to use as a program action The determining unit determines whether the source of the distribution source is the same as the user of the distribution destination when detecting the issuance of the memory operating system call to the memory area allocated to the virtual machine. 根據申請專利範圍第1項之執行控制裝置,係進一步包括:認證部,其係進行被分配有虛擬記憶體之記憶體區域之程序的認證;及管理部,其係中止從被分配於經由前述認證部所進行之認證失敗之程序之記憶體區域的位址變換為實體記憶體的位址。 The execution control device according to claim 1, further comprising: an authentication unit that authenticates a program to which a memory area of the virtual memory is allocated; and a management unit that is suspended from being distributed via the foregoing The address of the memory area of the program failed by the authentication department is converted into the address of the physical memory. 根據申請專利範圍第5項之執行控制裝置,係進一步包括記憶部,該記憶部係依屬於前述虛擬記憶體之記憶體區域的每一頁,記憶包含顯示是否禁止變換為所對應之前述實體記憶體之位址之旗標的頁表入口;前述管理部係在1頁被分配於1個程序時,將包含顯示禁止變換為對應該1頁之前述實體記憶體之位址之旗標的頁表入口予以寫入於前述記憶部,以作為該1頁的頁表入口;前述控制部係將經由前述管理部所寫入之頁表入口中之被分配於經由前述認證部所進行之認證成功之程序之頁之頁表入口的旗標進行更新。 The execution control device according to claim 5, further comprising a memory portion that belongs to each page of the memory region of the virtual memory, and the memory includes displaying whether to prohibit conversion to the corresponding physical memory. The page table entry of the flag of the body address; when the first management unit is assigned to one program, the management unit includes a page table entry indicating that the conversion is prohibited to be the flag corresponding to the address of the physical memory of the first page. It is written in the memory unit as a page entry of the one page; the control unit is a program that is assigned to the authentication by the authentication unit among the page table entries written by the management unit. The flag of the page entry of the page is updated. 根據申請專利範圍第6項之執行控制裝置,其中前述管理部係在被要求對前述虛擬記憶體進行存取,且經由被要求該存取之要求目的地頁之頁表入口的旗標,禁止了變換為對應於前述要求目的地頁之前述實體記憶體的位址時,啟 動例外處理;前述認證部係進行被分配有前述要求目的地頁之程序的認證以作為前述例外處理;前述控制部係在經由前述認證部所進行的認證成功時,將前述要求目的地頁之頁表入口的旗標,予以更新為顯示許可轉換為對應前述要求目的地頁之前述實體記憶體之位址的旗標,以作為前述例外處理。 The execution control device according to the sixth aspect of the invention, wherein the management unit is prohibited from accessing the virtual memory and is prohibited by a flag of a page table entry of a request destination page that is requested to be accessed. When the address is changed to the address of the foregoing physical memory corresponding to the foregoing request destination page, And the authentication unit performs the authentication of the program to which the request destination page is allocated as the exception processing; and the control unit sets the request destination page when the authentication by the authentication unit is successful. The flag of the page table entry is updated to display the flag of the license to be converted to the address of the aforementioned physical memory corresponding to the aforementioned request destination page as the aforementioned exception processing. 根據申請專利範圍第6或7項之執行控制裝置,其中前述控制部係刪除經由前述認證部所進行之認證失敗的程序。 The execution control device according to claim 6 or 7, wherein the control unit deletes a program that has failed authentication by the authentication unit. 一種執行控制方法,係由電腦判斷從經由使用者所啟動之程序對於作業系統所發行的系統呼叫中,經啟動為了記憶體區域之操作所發行的系統呼叫,亦即記憶體操作系統呼叫之發行來源之程序後的發行來源使用者,是否與經啟動被所發行之記憶體操作系統呼叫所操作之記憶體區域之分配目的地之程序後的分配目的地使用者相同;前述電腦係中止經判斷為前述發行來源使用者與前述分配目的地使用者不同之記憶體操作系統呼叫的執行。 An execution control method is determined by a computer to issue a system call issued for an operation of a memory area, that is, a memory operating system call release, from a system call issued by a user-initiated program to an operating system. Whether the user of the distribution source after the source program is the same as the user of the distribution destination after the program of the distribution destination of the memory area operated by the memory operating system call issued by the issued memory system; Execution of a memory operating system call different from the foregoing distribution source user and the aforementioned distribution destination user. 一種執行控制程式產品,係令電腦執行下列處理:判斷處理,其係從經由使用者所啟動之程序對於作業系統所發行的系統呼叫中,經啟動為了記憶體區域之操作所發行的系統呼叫,亦即記憶體操作系統呼叫之發行來源之程序後的發行來源使用者,是否與經啟動被所發行之記憶體操作系統呼叫所操作之記憶體區域之分配目的地之程序後的分配目的地使用者相同;及 中止處理,其係中止經判斷為前述發行來源使用者與前述分配目的地使用者不同之記憶體操作系統呼叫的執行。 An execution control program product for causing a computer to perform a process of judging a system call initiated by an operation for a memory area in a system call issued to a work system by a program initiated by a user, That is, whether the source user of the distribution source after the program of the source of the memory operating system call is used with the distribution destination after the program of the distribution destination of the memory area operated by the memory operating system call to be issued is activated. The same; and The suspension processing terminates execution of a memory operating system call determined to be different from the distribution destination user by the distribution source user.
TW104135742A 2015-09-07 2015-10-30 Execution control device and execution control method and execution control program product TWI626557B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2015/075319 WO2017042860A1 (en) 2015-09-07 2015-09-07 Execution control device, execution control method, and execution control program

Publications (2)

Publication Number Publication Date
TW201710942A true TW201710942A (en) 2017-03-16
TWI626557B TWI626557B (en) 2018-06-11

Family

ID=58240629

Family Applications (1)

Application Number Title Priority Date Filing Date
TW104135742A TWI626557B (en) 2015-09-07 2015-10-30 Execution control device and execution control method and execution control program product

Country Status (3)

Country Link
JP (1) JP6257844B2 (en)
TW (1) TWI626557B (en)
WO (1) WO2017042860A1 (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000066956A (en) * 1998-08-17 2000-03-03 Nec Corp Access right setting/verification system for shared memory
US7272832B2 (en) * 2001-10-25 2007-09-18 Hewlett-Packard Development Company, L.P. Method of protecting user process data in a secure platform inaccessible to the operating system and other tasks on top of the secure platform
JP4379382B2 (en) * 2005-05-27 2009-12-09 日本電気株式会社 Operating system security management method, security management method thereof, and program thereof
US8327059B2 (en) * 2009-09-30 2012-12-04 Vmware, Inc. System and method to enhance memory protection for programs in a virtual machine environment
JP2012173870A (en) * 2011-02-18 2012-09-10 Toshiba Corp Semiconductor device and memory protection method
US8788763B2 (en) * 2011-10-13 2014-07-22 International Business Machines Corporation Protecting memory of a virtual guest
US9858207B2 (en) * 2013-02-06 2018-01-02 International Business Machines Corporation Page level key-based memory protection

Also Published As

Publication number Publication date
TWI626557B (en) 2018-06-11
WO2017042860A1 (en) 2017-03-16
JP6257844B2 (en) 2018-01-10
JPWO2017042860A1 (en) 2017-09-07

Similar Documents

Publication Publication Date Title
KR102107711B1 (en) Authorized direct memory access in the processing system
JP4982825B2 (en) Computer and shared password management methods
KR102244645B1 (en) Management of authenticated variables
KR101477080B1 (en) Memory access security management
JP6804665B2 (en) Monitoring memory page transitions between the hypervisor and the virtual machine
JP6893479B2 (en) Data processing device and method using ownership table
JP6137499B2 (en) Method and apparatus
JP6738354B2 (en) change address
JP4823481B2 (en) System and method for executing instructions to initialize a secure environment
JP5390703B2 (en) Providing integrity verification and proof in a hidden execution environment
US8213618B2 (en) Protecting content on client platforms
US20040015694A1 (en) Method and apparatus for authenticating an open system application to a portable IC device
US20070198851A1 (en) Secure processor
JP2018523211A (en) Protected exception handling
JP2018523210A (en) Shared page
KR20120034015A (en) Security protection for memory content of processor main memory
JP2008171389A (en) Method for domain logon and computer
US10545883B2 (en) Verification bit for one-way encrypted memory
JP2021507361A (en) Memory protection device for indirect access memory controllers
JP2020042341A (en) Processing device and software execution control method
TWI626557B (en) Execution control device and execution control method and execution control program product
US20240220298A1 (en) Life cycle management for device input/output interfaces in virtualized environments
US20240220429A1 (en) Secure direct memory access
JP5324676B2 (en) Processor, bus interface device, and computer system
JP5380392B2 (en) Semiconductor device, bus interface device, and computer system