公开(公告)号：US20210200687A1

公开(公告)日：2021-07-01

申请号：US16728928

申请日：2019-12-27

Applicant: Intel Corporation

Inventor： DAVID M. DURHAM ,  JACOB DOWECK ,  MICHAEL LEMAY ,  DEEPAK GUPTA

IPC: G06F12/1027

Abstract: An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.

公开(公告)号：US20180129808A1

公开(公告)日：2018-05-10

申请号：US15811469

申请日：2017-11-13

Applicant: INTEL CORPORATION

Inventor： MICHAEL LEMAY ,  DAVID M. DURHAM

IPC: G06F21/56 ,  H04L29/06

CPC classification number: G06F21/566 ,  G06F21/567 ,  G06F2221/032 ,  H04L63/1416 ,  H04L63/145

Abstract: Various embodiments are generally directed to techniques for detecting malware in a manner that mitigates the consumption of processing and/or storage resources of a processing device. An apparatus may include a first processor component of a processing device to generate entries in a chronological order within a first page modification log maintained within a first storage divided into multiple pages, each entry to indicate a write access made by the first processor component to a page of the multiple pages; a retrieval component of a graphics controller of the processing device to recurringly retrieve indications from the first page modification log of at least one recently written page of the multiple pages; and a scan component of the graphics controller to recurringly scan the at least one recently written page to detect malware within the at least one recently written page.

公开(公告)号：US20210311883A1

公开(公告)日：2021-10-07

申请号：US17321087

申请日：2021-05-14

Applicant: Intel Corporation

Inventor： DAVID M. DURHAM ,  JACOB DOWECK ,  MICHAEL LEMAY ,  DEEPAK GUPTA

IPC: G06F12/1027

Abstract: An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.

公开(公告)号：US20200183861A1

公开(公告)日：2020-06-11

申请号：US16690614

申请日：2019-11-21

Applicant: Intel Corporation

Inventor： SIDDHARTHA CHHABRA ,  DAVID M. DURHAM

IPC: G06F12/14 ,  H04L9/06 ,  G06F21/60 ,  G06F21/79 ,  G06F21/64 ,  G06F21/53

Abstract: The presently disclosed method and apparatus for sharing security metadata memory space proposes a technique to allow metadata sharing two different encryption techniques. A section of memory encrypted using a first type of encryption and having first security metadata associated therewith is converted to a section of memory encrypted using a second type of encryption and having second security metadata associated therewith. At least a portion of said first security metadata shares a memory space with at least a portion of said second security metadata for a same section of memory.

公开(公告)号：US20200159673A1

公开(公告)日：2020-05-21

申请号：US16686379

申请日：2019-11-18

Applicant: Intel Corporation

Inventor： RAVI L. SAHITA ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  DAVID A. KOUFATY ,  ASIT K. MALLICK ,  ARUMUGAM THIYAGARAJAH ,  BARRY E. HUNTLEY ,  DEEPAK K. GUPTA ,  MICHAEL LEMAY ,  JOSEPH F. CIHULA ,  BAIJU V. PATEL

IPC: G06F12/14 ,  G06F9/455 ,  G06F12/1009 ,  G06F12/1027

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US20170286320A1

公开(公告)日：2017-10-05

申请号：US15089280

申请日：2016-04-01

Applicant: Intel Corporation

Inventor： SIDDHARTHA CHHABRA ,  DAVID M. DURHAM ,  PRASHANT DEWAN

IPC: G06F12/14 ,  G06F13/28

Abstract: This disclosure is directed to avoiding redundant memory encryption in a cryptographic protection system. Data stored in a device may be protected using different encryption systems. Data associated with at least one trusted execution environment (TEE) may be encrypted using a first encryption system. Main memory in the device may comprise data important to maintaining the integrity of an operating system (OS), etc. and may be encrypted using a second encryption system. Data may also be placed into a memory location via direct memory access (DMA) and may be protected utilizing a third encryption system. Redundant encryption may be avoided by encryption circuitry capable of determining when data is already protected by encryption provided by another system. For example, the encryption circuitry may comprise encryption control circuitry that monitors indicators set at different points during data handling, and may bypass certain data encryption or decryption operations based on the indicator settings.

公开(公告)号：US20160378490A1

公开(公告)日：2016-12-29

申请号：US14752079

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： MICHAEL LEMAY ,  DAVID M. DURHAM ,  BARRY E. HUNTLEY ,  VEDVYAS SHANBHOGUE ,  RAVI L. SAHITA ,  RAVI RAJWAR

IPC: G06F9/38 ,  G06F11/07

CPC classification number: G06F9/3802 ,  G06F9/3004 ,  G06F9/30076 ,  G06F9/30145 ,  G06F9/30167 ,  G06F9/30189 ,  G06F9/46 ,  G06F11/0745 ,  G06F11/0751

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for protecting confidential data with transactional processing in execute-only memory. The system may include a memory module configured to store an execute-only code page. The system may also include a transaction processor configured to enforce a transaction region associated with at least a portion of the code page. The system may further include a processor configured to execute a load instruction fetched from the code page, the load instruction configured to load at least a portion of the confidential data from an immediate operand of the load instruction if a transaction mode of the transaction region is enabled.

Abstract translation: 通常，本公开提供了用于在仅执行存储器中用事务处理保护机密数据的系统，设备，方法和计算机可读介质。 该系统可以包括被配置为存储仅执行代码页的存储器模块。 系统还可以包括配置成强制与代码页的至少一部分相关联的事务区域的事务处理器。 该系统还可以包括：处理器，其被配置为执行从代码页取出的加载指令，所述加载指令被配置为如果交易区域的交易模式是来自加载指令的即时操作数，则加载秘密数据的至少一部分 启用

公开(公告)号：US20150278512A1

公开(公告)日：2015-10-01

申请号：US14228994

申请日：2014-03-28

Applicant: Intel Corporation

Inventor： PRASHANT DEWAN ,  UTTAM K. SENGUPTA ,  SIDDHARTHA CHHABRA ,  DAVID M. DURHAM ,  XIAOZHU KANG ,  UDAY R. SAVAGAONKAR ,  ALPA T. NARENDRA TRIVEDI

IPC: G06F21/53 ,  H04L9/32 ,  G06F9/455

CPC classification number: G06F21/53 ,  G06F9/45504 ,  G06F9/45558 ,  G06F9/5011 ,  G06F9/5072 ,  G06F21/554 ,  G06F21/84 ,  G06F2009/45587 ,  G06F2213/0038 ,  H04L9/3247

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for virtualization-based intra-block workload isolation. The system may include a virtual machine manager (VMM) module to create a secure virtualization environment or sandbox. The system may also include a processor block to load data into a first region of the sandbox and to generate a workload package based on the data. The workload package is stored in a second region of the sandbox. The system may further include an operational block to fetch and execute instructions from the workload package.

Abstract translation: 通常，本公开提供了用于基于虚拟化的块内工作负载隔离的系统，设备，方法和计算机可读介质。 该系统可以包括用于创建安全虚拟化环境或沙箱的虚拟机管理器（VMM）模块。 该系统还可以包括处理器块，用于将数据加载到沙箱的第一区域中，并且基于该数据生成工作负载包。 工作负载包存储在沙箱的第二个区域。 系统还可以包括用于从工作负载包获取和执行指令的操作块。

公开(公告)号：US20190296893A1

公开(公告)日：2019-09-26

申请号：US16426746

申请日：2019-05-30

Applicant: INTEL CORPORATION

Inventor： SIDDHARTHA CHHABRA ,  DAVID M. DURHAM

IPC: H04L9/06 ,  G06F12/08 ,  G06F21/53 ,  G06F21/60 ,  G06F12/14 ,  G06F21/72

Abstract: Various embodiments are generally directed to techniques for converting between different cipher systems, such as, for instance, between a cipher system used for a first encryption environment and a different cipher system used for a second encryption environment, for instance. Some embodiments are particularly directed to an encryption engine that supports memory operations between two or more encryption environments. Each encryption environment can use different cipher systems while the encryption engine can translate ciphertext between the different cipher systems. In various embodiments, for instance, the first encryption environment may include a main memory that uses a position dependent cipher system and the second encrypted environment may include a secondary memory that uses a position independent cipher system.

公开(公告)号：US20190220349A1

公开(公告)日：2019-07-18

申请号：US16368430

申请日：2019-03-28

Applicant: Intel Corporation

Inventor： SERGEJ DEUTSCH ,  WEI WU ,  DAVID M. DURHAM ,  KARANVIR GREWAL

IPC: G06F11/10 ,  H04L9/32

Abstract: In one example a computer implemented method comprises generating an error correction code for a memory line, the memory line comprising a first plurality of data blocks, wherein the error correction code comprises a first plurality of parity bits and a second plurality of parity bits, applying a domain-specific function to the second plurality of parity bits to generate a modified block of parity bits, generating a metadata block corresponding to the memory line, wherein the metadata block comprises the error correction code for the memory line and at least a portion of the modified block of parity bits, encoding the first plurality of data blocks and the metadata block to generate a first encoded data set, and providing the encoded data set and the encoded metadata block for storage on a memory module. Other examples may be described.