Patent Grant
11687357
The disclosure of Japanese Patent Application No. 2019-200651 filed on Nov. 5, 2019 including the specification, drawings and abstract is incorporated herein by reference in its entirety.
The present invention relates to a virtualization system applied to a network-compatible vehicle-mounted system requiring high robustness, an automatic driving system and the vehicle-mounted system such as an ADAS (Advanced Driver Assistance System).
The virtualization technology is a technology for organizing various resources (CPU, memory, storage, Operating System (hereinafter, OS), etc.) of a computer system in a logical unit independent of a physical configuration, so that a plurality of resources can be combined to be shown as a single resource, or a single resource can be divided into multiple resources. In a system environment using such virtualization technology, a virtual machine constructed by software on hardware is started, and the guest OS runs on it. As a method of constructing a virtual machine, there is a method of starting a dedicated software called a hypervisor on a computer and starting an OS on a virtual machine constructed by a hypervisor. The hypervisor manages allocation information indicating the allocation of computer hardware resources (hereinafter referred to as resources) and creates a virtual physical environment. The virtualization systems are implemented on System on Chip (SoC).
To allocate and manage resources to guest OSs running on a virtual environment, each guest OS is given an OSID for identification. If the OSID is flexibly configurable in software without being anchored, the software can be attacked and the OSID can be rewritten freely, and there is a way to hide the OSID in hardware as a way to prevent the OSID from such attacks.
Referring to
As described above, by storing OSID in the registers (8g, 8h) of gateway (8f), the register (8b) of the guest OS1 (8a) and the register (8e) of the guest OS2 (8d) that cannot be referenced by other guest OSs, the OSID is concealed as hardware and a high-security environment in the virtualization system is realized.
However, the prior art has the following problems. Once OSID has been allocated, the generated OSID will continue to be used while the system is running without modification. In such cases, for example, a malicious guest OS may attempt to access unallocated resources and succeed in accessing them by brute force attack while changing OSID sequentially. To solve this problem, it is possible to change OSID periodically. However, since OSID must be changed while the system is stopped, the system must be stopped and then restarted. In this method, however, it is virtually not possible to change OSID frequently in a short time. Furthermore, even if so as to secure a long change period, the intervention of software is required, it is feared that leads to a decrease in performance.
It is an object of the present invention to realize high security in a virtualization system while reducing the load of software processing on a function that restricts access to resources from a guest OS running on a non-secure CPU.
In a virtualization system having a hypervisor that performs OSID management for linking a plurality of OSs and resources, and an OSID manager that receives an initial value from the hypervisor and sets an OSID for linking in each of the guest OSs and resources, a new OSID created by OSID manager is requested to be updated to the guest OS and resources after a certain period of time has elapsed after the initial value is set. This allows the guest OS and resource OSID to be updated at the same time.
In a virtualization system according to an embodiment, by periodically creating an OSID by OSID manager and resetting OSID created in the guest OS and the resource, OSID that was previously operated at a fixed value can be updated while the system is running. Further, by simultaneously updating by the update controller in OSID manager, it is possible to reliably update OSID while preventing mismatches generated by the deviation of the update. This ensures that if a OSID is stolen in the event of a brute force attack by a malicious OS, OSID is updated immediately, thus invalidating the stolen OSID and enabling a more robust system.
Hereinafter, the virtualization system according to the first embodiment will be described in detail with reference to the drawings. In the specification and the drawings, the same or corresponding elements are denoted by the same reference numerals, and a repetitive description thereof is omitted. In the drawings, for convenience of description, the configuration may be omitted or simplified. Also, at least some of the embodiments and each modification may be arbitrarily combined with each other.
(Configuration of Virtualization System)
In the first embodiment, there is an OSID manager (if) as a control unit corresponding to the gateway (8f) in the prior art of
(Update Flowchart of OSID)
Specifically, with reference to
The guest OS1 (1a) uses OSID (=A) set in CPU0 to request access to the resources managed by IP0 (1i) (S205). The IP0 (1i) permits access to the resource if the access request to the resource from the guest OS1 (1a) matches OSID set by OSID manager (if) (S206). If OSID does not matched, access to the resource is not permitted. In this embodiment, OSID (=A) is set in the registers (1b, 1k) of the guest OS1 (1a) and the IP0 (1i), so access is accepted. On the other hand, the OSID manager (if) transmits the generated new OSID (=A′) to IP0 (1i) and CPU0 when the preset update timing (at a predetermined timing) has arrived. Further, the OSID manager (1f) instructs IP0 (1i) and CPU0 to switch to the transmitted OSID (S207).
OSID can be changed frequently even while the system is running, and if the malicious guest OS forges OSID and becomes accessible to unauthorized resources, OSID is updated regularly and the successfully accessed OSID is immediately disabled. In other words, it is possible to realize high robustness, which is one of the important factors in the operation of the guest OS in the virtualization system. Also, even if OSID is updated frequently, the hypervisor implemented by the software is only involved in the initialization of OSID, and OSID manager manages the updating of OSID so that the performance of the system is not degraded.
In the second embodiment, as compared to the first embodiment, OSID generator is disposed inside guest OS and IP. In addition, OSID generator generates and uses OSID based on parameters such as seeds (variables) and calculate functions received from OSID, so that OSID itself is not retained internally.
(Update Flowchart of OSID)
Specifically, refreshing OSID in present embodiment will be described with reference to
The guest OS1 (3a) uses the generated OSID to request IP0 (3h) to access the resource (S406). The IP0 (3h) uses the generated OSID to manage access to the resource (S407). The OSID for the access request is compared with the generated OSID, and if they are the same, the access request is accepted. The update controller (3g) periodically (at a predetermined timing) instructs the guest OS1 (3a) and IP0 (3h) to update OSID. The OSID generator (3b) and OSID generator (3j) periodically generate OSID and update OSID that has been generated by the instruction from the update controller (3g). The old OSID is deleted and disabled if OSID was updated (S408). It should be noted that OSID should not be updated while CPU0 is locked by some kind of process. The guest OS1 (3a) notifies the hypervisor (3c) of completion when the request of resource to IP0 (3h) is completed (S409).
In the second embodiment, since OSID to be retained is generated by OSID generator each time both the guest OS and the IP (resource), there is no need to retain OSID itself, and OSID can be completely concealed. Moreover, since the data held by the guest OS and the IP (resource) are only parameters for OSID generation, even if the parameters are stolen, it is impossible to generate an OSID unless the algorithm for generating OSID is clarified, and high-robustness can be realized.
In the third embodiment, the updating instruction by OSID manager is unnecessary. As in the second embodiment, OSID generator is located inside the guest OS and the resource, and generates OSID according to the parameters from OSID manager. The guest OS accesses the resource by updating OSID at predetermined intervals (at a predetermined timing) such as every access or every 10 accesses, for example. OSID is updated in the same way when the number of accesses is counted and the predetermined update timing is reached. The refresh interval is preset by OSID manager.
(Update Flowchart of OSID)
Specifically, with reference to
The guest OS1 (5a) uses the generated OSID to manage access to resources (S606). The IP0 (5g) uses the generated OSID to manage access to the resource (S607). The OSID of the access request is compared with the generated OSID, and if they are the same, the access request is accepted. In OSID generator (5b) and OSID generator (5h) arranged inside the guest OS1 (5a) and IP0 (5g), OSID is generated at a predetermined timing, and the stale OSID is erased and disabled (S608). As a predetermined timing, when the number of times the guest OS1 (5a) requested to access IP0 (5g) reaches a predetermined value, whereas when the number of access requests from the guest OS1 (5a) reaches a predetermined number of times, OISD may be updated. OSID should not be updated while the CPUs are locked. The guest OS1 (5a) notifies the hypervisor (5c) of completion when resource-requesting to IP0 (5g) is completed (S609).
In the third embodiment, the access from the guest OS to the IP (resource) is an order-guaranteed access, and by determining the update timing based on this access, the access can be made accessible without inconsistent OSID even if there is no update instruction from OSID manager. Further, since OSID manager does not need to perform updating control for the respective guest OSs and IPs (resources), frequent periodic updating of OSID can be performed without complicated control even when the number of control targets increases.
For example, there is a way to simplify the function of OSID generating part. In the second and third embodiments, the OSID generators inside the guest OS and IP generate OSID, but instead of providing OSID generator, OSID storage table can be retained. The OSID manager stores OSID in OSID storage table and sequentially updates OSID in the table at a predetermined update timing. For example, guest OS1 (3a, 5a) and IP0 (3h, 5g) are generated from OSID storage table as the allocation information table based on the parameters and OSID used immediately before based on the instruction from OSID manager (3f, 5f). If OSID reaches the end of the table, it should return to the beginning at the next refresh timing. In this method, a simpler configuration and more robust virtualization system can be constructed than with an OSID generator.
When OSID generator in above embodiments individually generates an OSID, there is a possibility that the generated OSID overlaps. To solve this problem, as shown in
| Number | Date | Country | Kind |
|---|---|---|---|
| 2019-200651 | Nov 2019 | JP | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 8775696 | Scales | Jul 2014 | B2 |
| 20040040025 | Lehtinen | Feb 2004 | A1 |
| 20060029226 | Han | Feb 2006 | A1 |
| 20150270956 | Basmov | Sep 2015 | A1 |
| 20160092677 | Patel | Mar 2016 | A1 |
| 20160179561 | George | Jun 2016 | A1 |
| 20160246649 | Tsirkin | Aug 2016 | A1 |
| 20180004425 | Suzuki | Jan 2018 | A1 |
| 20190155637 | Yu | May 2019 | A1 |
| 20200004936 | Avital | Jan 2020 | A1 |
| 20200159940 | Werner | May 2020 | A1 |
| 20200241902 | Freche | Jul 2020 | A1 |
| 20200319907 | Jain | Oct 2020 | A1 |
| 20200394339 | Mayer | Dec 2020 | A1 |
| 20210132978 | Shibayama | May 2021 | A1 |
| 20210224091 | Hayatnagarkar | Jul 2021 | A1 |
| Number | Date | Country | |
|---|---|---|---|
| 20210132978 A1 | May 2021 | US |
