公开(公告)号：WO2008091452A1

公开(公告)日：2008-07-31

申请号：PCT/US2007/087225

申请日：2007-12-12

Applicant: MICROSOFT CORPORATION

Inventor： TRAUT, Eric ,  FOLTZ, Forrest ,  THORNTON, Andrew ,  SINHA, Suyash

IPC: G06F9/06

CPC classification number: G06F12/1491 ,  G06F9/45533 ,  G06F21/554

Abstract: This document describes tools capable of making a portion of operating-system memory associated with a protection agent unalterable or inaccessible from an operating-system privilege mode. In some embodiments, these tools are capable of creating a protection-agent privilege mode by requesting that a virtual machine monitor protect this portion of operating-system memory. In other embodiments, these tools are capable of creating the protection-agent privilege mode by virtualizing a physical processor into multiple virtual processors, at least one of which is a protection-agent virtual processor designed to run the protection agent. By making this portion of operating-system memory unalterable or inaccessible from the operating-system privilege mode, the protection agent may be less vulnerable to attacks by entities operating within the operating-system privilege mode.

Abstract translation: 本文档描述了能够使与操作系统特权模式不可更改或不可访问的保护代理相关联的操作系统内存的一部分的工具。 在一些实施例中，这些工具能够通过请求虚拟机监视器保护操作系统存储器的这一部分来创建保护代理特权模式。 在其他实施例中，这些工具能够通过将物理处理器虚拟化为多个虚拟处理器来创建保护代理特权模式，其中至少一个虚拟处理器是被设计为运行保护代理的保护代理虚拟处理器。 通过使操作系统内存的这一部分从操作系统特权模式变得不可改变或不可访问，保护代理可能不太容易受到在操作系统特权模式下操作的实体的攻击。

公开(公告)号：EP2115570A1

公开(公告)日：2009-11-11

申请号：EP07869154.0

申请日：2007-12-12

Applicant: Microsoft Corporation

Inventor： TRAUT, Eric ,  FOLTZ, Forrest ,  THORNTON, Andrew ,  SINHA, Suyash

IPC: G06F9/06

CPC classification number: G06F12/1491 ,  G06F9/45533 ,  G06F21/554

Abstract: This document describes tools capable of making a portion of operating-system memory associated with a protection agent unalterable or inaccessible from an operating-system privilege mode. In some embodiments, these tools are capable of creating a protection-agent privilege mode by requesting that a virtual machine monitor protect this portion of operating-system memory. In other embodiments, these tools are capable of creating the protection-agent privilege mode by virtualizing a physical processor into multiple virtual processors, at least one of which is a protection-agent virtual processor designed to run the protection agent. By making this portion of operating-system memory unalterable or inaccessible from the operating-system privilege mode, the protection agent may be less vulnerable to attacks by entities operating within the operating-system privilege mode.