Method and computing system capable of enhancing memory protection

By introducing a protection service module and an MMU manager into the computing system, combined with the virtual machine manager and the protection manager of the main VM, the physical address array can be directly obtained and integrity protection can be performed, solving the security and performance problems of traditional Android operating system memory protection and achieving more efficient memory protection.

CN116893873BActive Publication Date: 2026-06-30MEDIATEK INC

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
MEDIATEK INC
Filing Date
2022-11-25
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

In existing technologies, traditional Android operating systems rely on the Linux kernel or TEE for memory protection, which poses security risks or has limited resources and high overhead, resulting in unreliable memory protection.

Method used

By introducing a protection service module and an MMU manager into the computing system, combined with the protection manager of the virtual machine manager and the host VM, the physical address array can be obtained directly from the MMU manager and the security and performance of memory can be ensured through the integrity protection module or monitor.

Benefits of technology

It improves the security and performance of memory protection, prevents memory tampering or attacks, reduces the impact on Linux kernel performance, and avoids resource waste.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116893873B_ABST
    Figure CN116893873B_ABST
Patent Text Reader

Abstract

This invention provides a method and computing system capable of enhancing memory protection related to the operating system kernel, thereby ensuring system security. The computing system provided by this invention may include: a processor configured to execute a guest virtual machine (VM), wherein an operating system (OS) runs on the guest VM, and an application (APP) runs on the OS. The kernel of the OS includes: a protection service module configured to receive at least one virtual address and first size information sent by a client of the APP; and a memory management unit (MMU) manager. The computing system further includes a virtual machine manager configured to receive the at least one virtual address and the first size information sent by the protection service module. The computing system also includes a host VM, which includes: a protection manager configured to receive and obtain a physical address array and second size information based on the at least one virtual address and the first size information to protect memory allocated by the kernel of the OS.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of memory protection technology, and further to methods and computing systems capable of enhancing memory protection related to the operating system kernel. Background Technology

[0002] For traditional Android operating systems (OS) that use a monolithic operating system (such as Linux) as their kernel, resource protection (such as memory allocated by the Linux kernel, which Linux can control for applications, drivers, and services in use) is implemented by the Linux kernel or a Trusted Execution Environment (TEE). When resource protection is implemented using the Linux kernel, its vulnerabilities make it vulnerable to attacks, leading to the failure of resource protection. Furthermore, while TEEs may offer higher security, they may have limited resources, incur significant overhead, and hinder feature development. Therefore, there is an urgent need for a new system that does not degrade kernel performance or increase costs to protect memory allocated by the operating system kernel. Summary of the Invention

[0003] This invention provides a method and computing system that can enhance memory protection related to the operating system kernel, thereby ensuring system security.

[0004] In one embodiment, a computing system provided by the present invention may include: a processor configured to execute a guest virtual machine (VM), wherein an operating system (OS) runs on the guest VM and an application (APP) runs on the OS, wherein the kernel of the OS includes: a protection service module configured to receive at least one virtual address and first size information sent by a client of the APP; and a memory management unit (MMU) manager configured to manage the MMU; the computing system further includes a virtual machine manager configured to receive the at least one virtual address and the first size information sent by the protection service module; the computing system further includes a master VM, the master VM including: a protection manager configured to receive the at least one virtual address and the first size information sent by the virtual machine manager, obtain a physical address array and second size information corresponding to the physical address array based on the at least one virtual address and the first size information, and protect the memory allocated by the kernel of the OS based on the physical address array and the second size information.

[0005] In one embodiment, the present invention provides a method for enhancing memory protection, implemented in a computing system including a processor. The method includes: running an operating system (OS) on a guest virtual machine (VM); running an application (APP) on the OS; receiving at least one virtual address and first size information sent by a client of the APP from a virtual machine manager; receiving the at least one virtual address and the first size information sent by the virtual machine manager from a host VM; obtaining a physical address array and second size information corresponding to the physical address array from the host VM based on the at least one virtual address and the first size information, and protecting memory allocated by the kernel of the OS based on the physical address array and the second size information. Attached Figure Description

[0006] Figure 1 An icon of an electronic device 10 is shown according to an embodiment of the present invention.

[0007] Figure 2 A system 20 is shown that can enhance memory protection associated with the kernel of an operating system according to an embodiment of the present invention.

[0008] Figure 3 According to another embodiment of the present invention, a system 30 capable of enhancing memory protection associated with the operating system kernel is shown.

[0009] Figure 4 According to another embodiment of the present invention, a system 40 capable of enhancing memory protection associated with the operating system kernel is shown. Detailed Implementation

[0010] The following description is for illustrative purposes only and should not be construed as limiting. The scope of the invention is best determined by referring to the appended claims.

[0011] Figure 1An icon of an electronic device 10 is shown according to one embodiment of the present invention. By way of example and not limitation, the electronic device 10 may be a portable device, such as a smartphone or tablet computer. The electronic device 10 may include a processor 12, a storage device 14, and hardware circuitry 16. The processor 12 may be a single-core processor or a multi-core processor. The storage device 14 is a calculator-readable medium for storing calculator program code PROG. The processor 12 is equipped with software execution capabilities. The calculator program code PROG may include multiple software modules. Therefore, when loaded and executed by the processor 12, the calculator program code PROG instructs the processor 12 to perform specified functions of the software modules. The electronic device 10 can be considered as a calculator system using a calculator program product, which includes a calculator-readable medium containing calculator program code. The hardware circuitry 16 is pure hardware, may consist only of logic gates, and can perform specified functions without software execution. The system proposed in this invention for enhancing memory protection associated with the kernel of an operating system (OS) may reside on the electronic device 10. For example, the system may include software-based functions implemented by calculator program code PROG running on processor 12 and hardware-based functions implemented by hardware circuitry 16.

[0012] Figure 2 A system 20 is illustrated according to an embodiment of the present invention, capable of enhancing memory protection associated with the kernel of an operating system. System 20 may include a processor (e.g., Figure 1 The processor 12 shown is configured to execute software modules, including a guest virtual machine (VM) 200, a hypervisor 220, and a host VM 240. Android can run on the guest VM 200 (i.e., the operating system of the guest VM 200 is Android), and the application (APP) 202 can run on Android. The kernel of Android can be Linux (hereinafter referred to as "Linux kernel" for brevity). To enhance the protection of the memory 210 allocated by the Linux kernel (e.g., the Linux kernel can control memory for the APP, drivers, and services in use), the client 204 of the APP 202 can send at least one virtual address (VA) and a first size information SIZE_1 corresponding to the at least one virtual address VA to the Linux kernel, wherein the at least one virtual address VA can represent the virtual address of the memory 210, and the first size information SIZE_1 can represent the size of the memory 210.

[0013] The Linux kernel may include a protection service module 206 and a memory management unit (MMU) manager 208. The protection service module 206 can be used to receive at least one virtual address (VA) and first size information (SIZE_1) sent by the client 204 of the application 202 for the purpose of protecting memory 210. The MMU manager 208 can be configured to manage the MMU (not in the main memory). Figure 1 (As shown in the figure). In this embodiment, the MMU manager 208 may include at least one logical-to-physical (L2P) address mapping table 209 (in Figure 2 The MMU manager 208 can be configured to translate at least one virtual address VA into at least one physical address according to at least one L2P address mapping table 209 to generate a physical address array PA_ARRAY and a second size information SIZE_2 corresponding to the physical address array PA_ARRAY, wherein the second size information SIZE_2 can represent the size of the physical address array PA_ARRAY. The virtual machine manager 220 can be configured to receive at least one virtual address VA and a first size information SIZE_1 sent by the protection service module 206.

[0014] The host VM 240 may include a protection manager 242, which is configured to: receive at least one virtual address VA and first size information SIZE_1 sent by the virtual machine manager 220; obtain a physical address array PA_ARRAY and second size information SIZE_2 from the MMU manager 208 based on the at least one virtual address VA and the first size information SIZE_1; and protect memory 210 based on the physical address array PA_ARRAY and the second size information SIZE_2. Furthermore, the host VM 240 may further include an MMU integrity protection module 244. The MMU integrity protection module 244 may be configured to protect at least one L2P address mapping table 209 (in... Figure 2 (Marked as "protected" in the middle).

[0015] Consider a scenario where the master VM 240 consists only of a protection manager 242 and receives the physical address array PA_ARRAY and the second size information SIZE_2 from the virtual machine manager 220 (e.g., referred to as "Scenario 1"). Specifically, the protection service module 206 obtains the physical address array PA_ARRAY and the second size information SIZE_2 from the MMU manager 208 based on at least one virtual address VA and the first size information SIZE_1, and sends the physical address array PA_ARRAY and the second size information SIZE_2 to the protection manager 242 via the virtual machine manager 220. In this scenario (i.e., Scenario 1), from a security perspective, the reliability of the physical address array PA_ARRAY obtained from the MMU manager 208 cannot be determined, and during the transmission of the obtained physical address array PA_ARRAY to the protection manager 242 via the virtual machine manager 220, the obtained physical address array PA_ARRAY may be tampered with or attacked (e.g., an attacker may use a fake protection service module to attack system 20). In terms of performance, transferring the physical address array PA_ARRAY to the protection manager 242 via the virtual machine manager 220 may degrade the performance of system 20. For example, to protect 32 megabytes (MB) of memory, a physical address array of 34 kilobytes (KB) needs to be transferred.

[0016] Compared to this scenario (i.e., scenario 1), in Figure 2 In system 20, the transfer of at least one virtual address VA and first size information SIZE_1 from the Linux kernel to the protection manager 242 via virtual machine manager 220 prevents tampering or attack on system 20 during this transfer. MMU integrity protection module 244 can be configured to ensure the trustworthiness of at least one virtual address VA and first size information SIZE_1 by protecting at least one L2P address mapping table 209. Ultimately, Figure 2 The system 20 shown is much more secure than this scenario (i.e., scenario 1). Furthermore, the protection manager 242 can directly obtain the physical address array PA_ARRAY and the second size information SIZE_2 from the MMU manager 208 based on at least one virtual address VA and the first size information SIZE_1 sent by the virtual machine manager 220, thereby improving the performance of system 20.

[0017] However, protecting at least one L2P address mapping table 209 may degrade Linux kernel performance. Furthermore, the MMU integrity protection module 244 may provide a write mechanism for at least one L2P address mapping table 209 to the MMU manager 208, where the high overhead of the write mechanism may impact MMU performance. To address the aforementioned issues, at least one virtual L2P address mapping table may be provided to the MMU manager. Please refer to [reference needed]. Figure 3 , Figure 3 According to another embodiment of the invention, a system 30 capable of enhancing memory protection associated with the operating system kernel is shown. System 30 may include a processor (e.g., Figure 1 The processor 12 shown is configured to execute software modules including a guest VM 300, a virtual machine manager 320, and a host VM 340, wherein Android can run on the guest VM 300 (i.e., the operating system of the guest VM 300 is Android), the APP 302 can run on Android, and the kernel of Android may be Linux. To protect the memory 310 allocated by the Linux kernel (e.g., the Linux kernel can control memory for the APP, drivers, and services in use), the client 304 of the APP 302 can send at least one virtual address VA and a first size information SIZE_1 corresponding to the at least one virtual address VA to the Linux kernel, wherein the at least one virtual address VA can represent a virtual address of the memory 310, and the first size information SIZE_1 can represent the size of the memory 310.

[0018] The Linux kernel may include a protection service module 306 and an MMU manager 308. The protection service module 306 may be configured to receive at least one virtual address (VA) and first size information (SIZE_1) sent by client 304 of APP 302 for the purpose of protecting memory 310. The MMU manager 308 may be configured to manage the MMU (not included in the main kernel). Figure 3 (As shown in the diagram). The virtual machine manager 320 can be configured to receive at least one virtual address VA and first size information SIZE_1 sent by the protection service module 206. Additionally, the virtual machine manager 320 may include a virtual L2P address mapping table manager 321, wherein the virtual L2P address mapping table manager 321 can be configured to receive at least one L2P address mapping table 322 (in the diagram). Figure 3 (marked as "L2P table"), at least one virtual address VA is converted to at least one physical address according to at least one L2P address mapping table 322 to generate a physical address array PA_ARRAY and the second size information SIZE_2 of the corresponding physical address array PA_ARRAY, and at least one virtual L2P address mapping table 309 is provided. Figure 3The table is labeled “vL2P table” and given to the MMU manager 308, where the second size information SIZE_2 can represent the size of the physical address array PA_ARRAY.

[0019] The host VM 340 may include a protection manager 342, which is configured to: receive at least one virtual address VA and first size information SIZE_1 sent by the virtual machine manager 320; obtain a physical address array PA_ARRAY and second size information SIZE_2 from the virtual L2P address mapping table manager 321 based on the at least one virtual address VA and the first size information SIZE_1; and protect the memory 310 based on the physical address array PA_ARRAY and the second size information SIZE_2. Furthermore, the host VM 340 may also include an MMU integrity protection module 344. In this embodiment, the MMU integrity protection module 344 may be configured to protect the virtual L2P address mapping table manager 321 (in... Figure 3 (Marked as "protected" in the middle).

[0020] Compared to Figure 2 System 20 shown, Figure 3 The system 30 shown does not require the MMU integrity protection module 344 to provide a write mechanism for at least one L2P address mapping table to the MMU manager 308, thereby avoiding the high overhead of the write mechanism from impacting MMU performance. Furthermore, the MMU integrity protection module 344 protects not at least one L2P address mapping table, but a virtual L2P address mapping table manager 321. This mitigates the performance degradation of the Linux kernel caused by protecting at least one L2P address mapping table.

[0021] Figure 4 According to another embodiment of the invention, a system 40 capable of enhancing memory protection associated with the operating system kernel is shown. System 40 may include a processor (e.g., Figure 1The processor 12 shown is configured to execute software modules including a guest VM 400, a virtual machine manager 420, and a host VM 440, wherein Android can run on the guest VM 400 (i.e., the operating system of the guest VM 400 is Android), and the APP 402 can run on Android, the kernel of which may be Linux. To protect the memory 410 allocated by the Linux kernel (e.g., the Linux kernel can control memory for the APP, drivers, and services in use), the client 404 of the APP 402 can send at least one virtual address VA and a first size information SIZE_1 corresponding to the at least one virtual address VA to the Linux kernel, wherein the at least one virtual address VA may represent a virtual address of the memory 410, and the first size information SIZE_1 may represent the size of the memory 410.

[0022] The Linux kernel may include a protection service module 406 and an MMU manager 408. The protection service module 406 may be configured to receive at least one virtual address (VA) and first size information (SIZE_1) sent by client 404 of APP 402 for the purpose of protecting memory 410. The MMU manager 408 may be configured to manage the MMU (Memory Management Unit). Figure 4 (Not shown in the image). In this embodiment, the MMU manager 408 may include at least one L2P address mapping table 409 (in... Figure 4 The virtual machine manager 420 can be configured to receive at least one virtual address VA and a first size information SIZE_1 sent by the protection service module 406, according to at least one L2P address mapping table 409 (labeled as "L2P table").

[0023] The master VM 440 may include a protection manager 442, wherein the protection manager 442 may be configured to: receive at least one virtual address VA and first size information SIZE_1 sent by the virtual machine manager 420; obtain a physical address array PA_ARRAY and a second size information SIZE_2 from the MMU manager 408 based on the at least one virtual address VA and the first size information SIZE_1; and protect the memory 410 based on the physical address array PA_ARRAY and the second size information SIZE_2. Figure 2 The system 20 shown is Figure 4The difference in the system 40 shown is that, instead of the MMU integrity protection module, the main VM 440 may also include an MMU integrity monitor 444. The MMU manager 408 can be registered to the virtual machine manager 420. Figure 4 (Marked as "Register" in the middle). The virtual machine manager 420 can also be configured to send a monitoring signal MS to the master VM 440 (more specifically, the MMU integrity monitor 444) for monitoring the MMU manager 408.

[0024] In this embodiment, MMU 408 is legal for system 40, and MMU integrity monitor 444 can be configured to monitor (MS) according to monitoring signals sent by virtual machine manager 420. Figure 4 The system monitors (marked as "monitor") accesses (e.g., reads or writes) to at least one L2P address mapping table 409 to determine whether such access is illegal for system 40. In response to an illegal access to at least one L2P address mapping table 409, the MMU integrity monitor 444 can be further configured to prevent the protection manager 442 from protecting Linux kernel-allocated memory 410. Figure 2 Compared to system 20 shown, Figure 4 System 40 shown has better Linux kernel performance. However, system 40 monitored using MMU manager 408 is no more secure than system 20 protected using MMU manager 208, and it must be ensured that MMU manager 408 is legitimate for system 40.

[0025] In some embodiments, it is not necessary to ensure that the MMU manager 408 is legitimate to the system 40. Regardless of whether the MMU manager 408 is legitimate to the system 40, the MMU integrity monitor 444 can be configured to monitor the resources of the MMU manager 408 to determine whether the resources of the MMU manager 408 are illegitimate to the system 40. In response to the MMU manager 408's resources being illegitimate to the system 40, the MMU integrity monitor 444 can be further configured to prevent the protection manager 442 from protecting memory 410.

[0026] In summary, since the protection manager 242 / 442 directly obtains the physical address array PA_ARRAY and the second size information SIZE_2 from the MMU manager 208 / 408 based on at least one virtual address VA and the first size information SIZE_1 sent by the virtual machine manager 220 / 420, the performance of the system 20 / 40 can be improved. Furthermore, it can prevent the system 20 / 40 from being tampered with or attacked during the transmission of at least one virtual address VA and the first size information SIZE_1 from the virtual machine manager 220 / 420 to the protection manager 242 / 442, and the trustworthiness of at least one virtual address VA and the first size information SIZE_1 can be guaranteed by protecting or monitoring at least one L2P address mapping. As a result, the security of the system 20 / 40 can be ensured.

[0027] While the invention has been described by way of example and according to preferred embodiments, it should be understood that the invention is not limited to the disclosed embodiments. Rather, it is intended to cover various modifications and similar arrangements (which will be apparent to those skilled in the art). Therefore, the scope of the appended claims should be given the broadest interpretation to cover all such modifications and similar arrangements.

Claims

1. A computing system, characterized in that, include: A processor is configured to execute a guest virtual machine, on which an operating system runs and an application runs, wherein the kernel of the operating system includes: The protection service module is configured to receive at least one virtual address and first size information sent by the application's client; and The memory management unit manager is configured to manage memory management units; The computing system also includes a virtual machine manager configured to receive the at least one virtual address and the first size information sent by the protection service module; The computing system also includes a host virtual machine, which comprises: The protection manager is configured to receive at least one virtual address and the first size information sent by the virtual machine manager, obtain a physical address array and a second size information corresponding to the physical address array based on the at least one virtual address and the first size information, and protect the memory allocated by the kernel of the operating system based on the physical address array and the second size information.

2. The computing system as described in claim 1, characterized in that, The memory management unit manager includes at least one logical-to-physical address mapping table, and the memory management unit manager is configured to translate at least one virtual address into at least one physical address according to the at least one logical-to-physical address mapping table to generate the physical address array and the second size information.

3. The computing system as described in claim 1, characterized in that, The protection manager is configured to obtain the physical address array and the second size information from the memory management unit manager.

4. The computing system as described in claim 2, characterized in that, The main virtual machine further includes: The memory management unit integrity protection module is configured to protect the at least one logical-to-physical address mapping table.

5. The computing system as described in claim 1, characterized in that, The virtual machine manager includes a virtual logical-to-physical address mapping table manager, which is configured to: receive at least one logical-to-physical address mapping table, convert at least one virtual address to at least one physical address according to the at least one logical-to-physical address mapping table to generate the physical address array and the second size information, and provide at least one virtual logical-to-physical address mapping table to the memory management unit manager.

6. The computing system as described in claim 5, characterized in that, The protection manager is configured to obtain the physical address array and the second size information from the virtual logical-to-physical address mapping table based on the at least one virtual address and the first size information.

7. The computing system as described in claim 5, characterized in that, The main virtual machine further includes: The memory management unit integrity protection module is configured to protect the virtual logical-to-physical address mapping table manager.

8. The computing system as described in claim 1, characterized in that, The protection manager is configured to obtain the physical address and the second size information based on the at least one virtual address and the first size information. The memory management unit manager is registered with the virtual machine manager, and the virtual machine manager is further configured to send monitoring signals to the master virtual machine.

9. The computing system as described in claim 8, characterized in that, The memory management unit manager is valid for the system. The memory management unit manager includes at least one logical-to-physical address mapping table. The memory management unit manager is configured to translate at least one virtual address into at least one physical address based on the at least one logical-to-physical address mapping table to generate the physical address array and the second size information. The main virtual machine further includes: The memory management unit integrity monitor is configured to monitor access to at least one logical-to-physical address mapping table based on the monitoring signal sent by the virtual machine manager, in order to determine whether such access to the at least one logical-to-physical address mapping table is illegal for the system.

10. The computing system as described in claim 9, characterized in that, In response to the fact that such access to at least one logical-to-physical address mapping table is illegal for the system, the memory management unit integrity monitor is further configured to prevent the protection manager from protecting the memory allocated by the kernel of the operating system.

11. The computing system as described in claim 8, characterized in that, The main virtual machine further includes: The Memory Module Integrity Monitor is configured to monitor the resources of the Memory Module Manager to determine whether the resources of the Memory Module Manager are illegal for the system.

12. The computing system as described in claim 11, characterized in that, In response to the memory management unit manager's resource being illegal to the system, the memory management unit integrity monitor is further configured to prevent the protection manager from protecting the memory allocated by the operating system's kernel.

13. A method for enhancing memory protection, implemented in a computing system including a processor, characterized in that, The method includes: Run the operating system on the guest virtual machine; Run an application on this operating system; The virtual machine manager receives at least one virtual address and first size information sent by the application's client; The host virtual machine receives the at least one virtual address and the first size information sent by the virtual machine manager; The main virtual machine obtains the physical address array and the second size information corresponding to the physical address array based on the at least one virtual address and the first size information, and protects the memory allocated by the kernel of the operating system based on the physical address array and the second size information.