Search

US-12619556-B2 - Security vulnerability mitigation using hardware-supported context-dependent address space hiding

US12619556B2US 12619556 B2US12619556 B2US 12619556B2US-12619556-B2

Abstract

A system, method and processor that mitigates security vulnerabilities using context-dependent address space hiding. In some embodiments, a hardware mechanism allows a more-privileged software component managing multiple less-privileged software components to blind itself against “out-of-context” less-privileged software components. The hardware mechanism can allow the more-privileged software component to dynamically hide a portion of the more-privileged address space related to the “out-of-context” less-privileged software components, based on knowledge of the “in-context” less-privileged software component. A context register is set with a value from which an address range, within the address space of the more-privileged software component, can be determined, where the address range is associated with a first less-privileged software component can be determined. When the more-privileged software component attempts to access data from other less-privileged software components, it is prevented from accessing such data, based at least in part on the context register.

Inventors

  • Nathan Yong Seng Chong
  • KARIMALLAH AHMED MOHAMMED RASLAN

Assignees

  • AMAZON TECHNOLOGIES, INC.

Dates

Publication Date
20260505
Application Date
20240408

Claims (20)

  1. 1 . A device, comprising: one or more hardware registers; and address translation circuitry configured to translate, for memory access instructions, addresses in a virtual address space to addresses in a physical address space for accessing physical memory, wherein the virtual address space comprises a plurality of portions of different privilege levels including a lower privilege level and a higher privilege level, and wherein to translate an address in the virtual address space for a memory access, the address translation circuitry is configured to: determine whether to apply context dependent memory access security; responsive to a determination to apply context dependent memory access security, determine, based on contents of the one or more hardware registers, whether the address in the virtual address space is within a subset of one or more portions of the virtual address space of the lower privilege level; responsive to a determination the address in the virtual address space is within the subset of the one or more portions of the virtual address space of the lower privilege level, allow translation of the address in the virtual address space to an address in the physical address space; and responsive to a determination the address in the virtual address space is not within the subset of the one or more portions of the virtual address space of the lower privilege level, block the memory access.
  2. 2 . The device of claim 1 , wherein to translate the address in the virtual address space for the memory access, the address translation circuitry is configured to: responsive to a determination to not apply context dependent memory access security, allow translation of the address in the virtual address space to the address in the physical address space.
  3. 3 . The device of claim 1 , further comprising: one or more hardware execution units configured to execute program instructions for a more-privileged software component and a plurality of less-privileged software components, wherein the more-privileged software component has a higher memory access privilege than respective memory access privileges of the plurality of less-privileged software components, and wherein the more-privileged software component is configured to perform management tasks on behalf of the plurality of less-privileged software components using management data at one or more portions of a virtual address space to which the more-privileged software component has access according to the higher memory access privilege.
  4. 4 . The device of claim 3 , wherein to translate the address in the virtual address space for the memory access, the address translation circuitry is configured to: determine whether the address in the virtual address space is within another one or more portions of the virtual address space used by the more-privileged software component; and responsive to a determination that the address in the virtual address space is not within the other one or more portions of the virtual address space, allow translation of the address in the virtual address space to an address in the physical address space; wherein to determine whether the address in the virtual address space is within the subset of the one or more portions of the virtual address space is responsive to the determination to apply context dependent memory access security and responsive to the determination that the address in the virtual address space is within the other one or more portions of the virtual address space used by the more-privileged software component.
  5. 5 . The device of claim 3 , wherein to translate the address in the virtual address space for the memory access, the address translation circuitry is configured to: determine whether the address in the virtual address space is within another one or more portions of the virtual address space used by the more-privileged software component; and responsive to a determination that the address in the virtual address space is not within the other one or more portions of the virtual address space, allow translation of the address in the virtual address space to an address in the physical address space; wherein to determine whether to apply the context dependent memory access security is responsive to the determination that the address in the virtual address space is within the other one or more portions of the virtual address space used by the more-privileged software component.
  6. 6 . The device of claim 3 , wherein the one or more hardware registers comprise: a first hardware register for storing location information for the one or more portions of the virtual address space used by the more-privileged software component; and a second hardware register for storing an identifier for one of the plurality of less-privileged software components for which the more-privileged software component is to perform a management task, wherein the identifier maps to a subset of the one or more portions of the virtual address space; wherein the determination to apply context dependent memory access security is based on contents of the first and second hardware registers.
  7. 7 . The device of claim 6 , wherein the one or more hardware registers further comprise a third hardware register for storing a fixed size of subsets of the one or more portions of the virtual address space, including the subset, used by the more-privileged software component to store the management data for performing the management tasks on behalf of individual less-privileged software components of the plurality of less-privileged software components, and wherein to determine whether the address in the virtual address space is within the subset of the one or more portions of the virtual address space, the address translation circuitry is further configured to: determine a beginning virtual address, of the subset of the one or more portions of the virtual address space, by multiplying the third register with the second register and adding a result of the multiplication to the first register; determine an ending virtual address by adding the second register to the beginning virtual address; and determine whether the address in the virtual address space is between the beginning virtual address and the ending virtual address.
  8. 8 . A system, comprising: one or more processors individually comprising: one or more hardware registers; and address translation circuitry configured to translate, for memory access instructions, addresses in a virtual address space to addresses in a physical address space for accessing physical memory, wherein the virtual address space comprises a plurality of portions of different privilege levels including a lower privilege level and a higher privilege level, and wherein to translate an address in the virtual address space for a memory access, the address translation circuitry is configured to: determine whether to apply context dependent memory access security; responsive to a determination to apply context dependent memory access security, determine, based on contents of the one or more hardware registers, whether the address in the virtual address space is within a subset of one or more portions of the virtual address space of the lower privilege level; responsive to a determination the address in the virtual address space is within the subset of the one or more portions of the virtual address space of the lower privilege level, allow translation of the address in the virtual address space to an address in the physical address space; and responsive to a determination the address in the virtual address space is not within the subset of the one or more portions of the virtual address space of the lower privilege level, block the memory access.
  9. 9 . The system of claim 8 , wherein to translate the address in the virtual address space for the memory access, the address translation circuitry is configured to: responsive to a determination to not apply context dependent memory access security, allow translation of the address in the virtual address space to the address in the physical address space.
  10. 10 . The system of claim 8 , wherein the one or more processors further individually comprise: one or more hardware execution units configured to execute program instructions for a more-privileged software component and a plurality of less-privileged software components, wherein the more-privileged software component has a higher memory access privilege than respective memory access privileges of the plurality of less-privileged software components, and wherein the more-privileged software component is configured to perform management tasks on behalf of the plurality of less-privileged software components using management data at one or more portions of a virtual address space to which the more-privileged software component has access according to the higher memory access privilege.
  11. 11 . The system of claim 10 , wherein to translate the address in the virtual address space for the memory access, the address translation circuitry is configured to: determine whether the address in the virtual address space is within another one or more portions of the virtual address space used by the more-privileged software component; and responsive to a determination that the address in the virtual address space is not within the other one or more portions of the virtual address space, allow translation of the address in the virtual address space to an address in the physical address space; wherein to determine whether the address in the virtual address space is within the subset of the one or more portions of the virtual address space is responsive to the determination to apply context dependent memory access security and responsive to the determination that the address in the virtual address space is within the other one or more portions of the virtual address space used by the more-privileged software component.
  12. 12 . The system of claim 10 , wherein to translate the address in the virtual address space for the memory access, the address translation circuitry is configured to: determine whether the address in the virtual address space is within another one or more portions of the virtual address space used by the more-privileged software component; and responsive to a determination that the address in the virtual address space is not within the other one or more portions of the virtual address space, allow translation of the address in the virtual address space to an address in the physical address space; wherein to determine whether to apply the context dependent memory access security is responsive to the determination that the address in the virtual address space is within the other one or more portions of the virtual address space used by the more-privileged software component.
  13. 13 . The system of claim 10 , wherein the one or more hardware registers comprise: a first hardware register for storing location information for the one or more portions of the virtual address space used by the more-privileged software component; and a second hardware register for storing an identifier for one of the plurality of less-privileged software components for which the more-privileged software component is to perform a management task, wherein the identifier maps to a subset of the one or more portions of the virtual address space; wherein the determination to apply context dependent memory access security is based on contents of the first and second hardware registers.
  14. 14 . The system of claim 13 , wherein the one or more hardware registers further comprise a third hardware register for storing a fixed size of subsets of the one or more portions of the virtual address space, including the subset, used by the more-privileged software component to store the management data for performing the management tasks on behalf of individual less-privileged software components of the plurality of less-privileged software components, and wherein to determine whether the address in the virtual address space is within the subset of the one or more portions of the virtual address space, the address translation circuitry is further configured to: determine a beginning virtual address, of the subset of the one or more portions of the virtual address space, by multiplying the third register with the second register and adding a result of the multiplication to the first register; determine an ending virtual address by adding the second register to the beginning virtual address; and determine whether the address in the virtual address space is between the beginning virtual address and the ending virtual address.
  15. 15 . A method, comprising: translating, in address translation circuitry of a processor on behalf of memory access instructions addresses in a virtual address space to addresses in a physical address space for accessing physical memory, wherein the virtual address space comprises a plurality of portions of different privilege levels including a lower privilege level and a higher privilege level, and wherein translating an address in the virtual address space for a memory access comprises: determining whether to apply context dependent memory access security; responsive to determining to apply context dependent memory access security, determining, based on contents of one or more hardware registers, whether the address in the virtual address space is within a subset of one or more portions of the virtual address space of the lower privilege level; responsive to determining the address in the virtual address space is within the subset of the one or more portions of the virtual address space of the lower privilege level, allowing translation of the address in the virtual address space to an address in the physical address space; and responsive to determining the address in the virtual address space is not within the subset of the one or more portions of the virtual address space of the lower privilege level, blocking the memory access.
  16. 16 . The method of claim 15 , wherein translating the address in the virtual address space for the memory access comprises: responsive to determining to not apply context dependent memory access security, allowing translation of the address in the virtual address space to the address in the physical address space.
  17. 17 . The method of claim 15 , further comprising executing program instructions for a more-privileged software component and a plurality of less-privileged software components, wherein the more-privileged software component has a higher memory access privilege than respective memory access privileges of the plurality of less-privileged software components, and wherein the more-privileged software component is configured to perform management tasks on behalf of the plurality of less-privileged software components using management data at one or more portions of a virtual address space to which the more-privileged software component has access according to the higher memory access privilege.
  18. 18 . The method of claim 17 , wherein translating the address in the virtual address space for the memory access comprises: determining whether the address in the virtual address space is within another one or more portions of the virtual address space used by the more-privileged software component; and responsive to a determining that the address in the virtual address space is not within the other one or more portions of the virtual address space, allowing translation of the address in the virtual address space to an address in the physical address space; wherein determining whether the address in the virtual address space is within the subset of the one or more portions of the virtual address space is performed responsive to determining to apply context dependent memory access security and responsive to determining that the address in the virtual address space is within the other one or more portions of the virtual address space used by the more-privileged software component.
  19. 19 . The method of claim 17 , wherein translating the address in the virtual address space for the memory access comprises: determining whether the address in the virtual address space is within another one or more portions of the virtual address space used by the more-privileged software component; and responsive to determining that the address in the virtual address space is not within the other one or more portions of the virtual address space, allowing translation of the address in the virtual address space to an address in the physical address space; wherein determining whether to apply the context dependent memory access security is performed responsive to determining that the address in the virtual address space is within the other one or more portions of the virtual address space used by the more-privileged software component.
  20. 20 . The method of claim 17 , wherein determining whether the address in the virtual address space is within the subset of the one or more portions of the virtual address space comprises: determining a beginning virtual address, of the subset of the one or more portions of the virtual address space, by multiplying a third register with a second register and adding a result of the multiplication to a first register, the first hardware register storing location information for the one or more portions of the virtual address space used by the more-privileged software component, the second hardware register storing an identifier for one of the plurality of less-privileged software components for which the more-privileged software component is to perform a management task, wherein the identifier maps to a subset of the one or more portions of the virtual address space and the third hardware register storing a fixed size of subsets of the one or more portions of the virtual address space, including the subset, used by the more-privileged software component to store the management data for performing the management tasks on behalf of individual less-privileged software components of the plurality of less-privileged software components; determining an ending virtual address by adding the second register to the beginning virtual address; and determining whether the address in the virtual address space is between the beginning virtual address and the ending virtual address.

Description

This application is a continuation of U.S. patent application Ser. No. 17/936,783, filed Sep. 29, 2022, which is hereby incorporated by reference herein in its entirety. BACKGROUND Many modern computer applications require substantial amounts of computation capacity. Many types of multi-processor or parallelized computer system architectures have been designed to enable numerous portions of a given application, or portions of different applications, to be executed concurrently at a given computing device. The advent of virtualization technologies has provided benefits with respect to managing large-scale computing resources for many customers with diverse needs, allowing various computing resources to be efficiently and securely shared by multiple customers. For example, virtualization technologies may allow a single physical computing machine to be shared among multiple users at a computing service by providing each user with one or more compute instances (e.g., guest virtual machines) hosted by the single physical computing machine. Each such compute instance may be regarded as a software simulation acting as a distinct logical computing system. Virtualization management software such as a hypervisor may be employed as an intermediary between physical hardware components (including SMT processors) and the virtualized representations of the hardware provided to the compute instances. In many computing systems (e.g., phones, desktops and server-class) less-privileged software components are managed by more-privileged software components. For example, (1) applications are managed by operating systems and/or (2) virtual machines (i.e., guest operating systems) are managed by hypervisors. By design, more-privileged software components have more permissions than less-privileged software. For example, an application is given a virtual address space managed by an operating system and a virtual machine is given a guest physical address space managed by a hypervisor. This is necessary to enable the required functionality needed by the more-privileged software component for features such as resource allocation, scheduling and other management capabilities. However, this also means that the more-privileged software component has the capability (i.e., read/write access) to the resources given to the less-privileged software component. For example, an operating system can read or write to the physical memory allocated to an application. BRIEF DESCRIPTION OF DRAWINGS FIG. 1 illustrates an example processor, that supports more and less-privileged software components, in which hardware supported context-dependent address space hiding may be used to mitigate security vulnerabilities, according to at least some embodiments. FIG. 2 illustrates an example system environment, and an example register configuration and more-privileged software component execution process, in which hardware supported context-dependent address space hiding may be used to mitigate security vulnerabilities at a processor that support more and less-privileged software components, according to at least some embodiments. FIG. 3 illustrates an example computing device environment in which hardware supported context-dependent address space hiding may be used to mitigate security vulnerabilities at processors that support more and less-privileged software components, where specific functionality of more and less-privileged software components are detailed, according to at least some embodiments. FIG. 4 illustrates examples of data objects that may be accessed by operating system components on behalf of various user-mode application processes, according to at least some embodiments. FIG. 5 illustrates examples of data objects that may be accessed by hypervisor components on behalf of various compute instances running at a virtualization host, according to at least some embodiments. FIG. 6 illustrates example elements of a virtualization host at which one or more types of hardware supported context-dependent address space hiding may be implemented, according to at least some embodiments. FIG. 7 is a logical block diagram illustrating a provider network where processors executing services within the provider network provide for hardware supported context-dependent address space hiding, according to at least some embodiments. FIG. 8 is a flow diagram illustrating aspects of context initialization operations that may be performed by a more-privileged software component implementing hardware supported context-dependent address space hiding, according to at least some embodiments. FIG. 9 is a flow diagram illustrating aspects of operations that may be performed by a more-privileged software component implementing hardware supported context-dependent address space hiding, when a less-privileged software component calls the more-privileged software component resulting in an execution context switch, according to at least some embodiments. FIG. 10 is a flow diagram