公开(公告)号：US20180096147A1

公开(公告)日：2018-04-05

申请号：US15281825

申请日：2016-09-30

Applicant: Intel Corporation

Inventor： Tugrul Ince ,  Koichi Yamada ,  Ajay Harikumar ,  Alex Nayshtut

IPC: G06F21/56 ,  G06F11/36 ,  G06F21/52

CPC classification number: G06F21/566 ,  G06F11/3604 ,  G06F21/52 ,  G06F2221/033

Abstract: In one embodiment, a binary translator to perform binary translation of code is to: perform a first binary analysis of a first code block to determine whether a second control transfer instruction is included in the first code block, where the first code block includes a return target of a first control transfer instruction; perform a second binary analysis of a second code block to determine whether the second code block includes the first control transfer instruction, where the second code block includes a call target of the second control transfer instruction; and store an address pair associated with the first control transfer instruction in a whitelist if the second control transfer instruction is included in the first code block and the first control transfer instruction is included in the second code block. Other embodiments are described and claimed.

公开(公告)号：US08850081B2

公开(公告)日：2014-09-30

申请号：US14039309

申请日：2013-09-27

Applicant: Intel Corporation

Inventor： Ajay Harikumar ,  Tessil Thomas ,  Biju Puther Simon

IPC: G06F13/10 ,  G06F11/00 ,  G06F9/50 ,  G06F9/54 ,  G06F12/08

CPC classification number: G06F9/542 ,  G06F9/5077 ,  G06F12/0806 ,  G06F2209/543

Abstract: In one aspect, the issues of events that may impact one or more partitions of sub-socket partitioning in one or more sockets can be handled. Specifically, events for partitions can be handled in a socket with sub-socket partitioning, wherein the events may include reset, interrupts, errors and reliability, availability, and serviceability (RAS) management.

公开(公告)号：US10984096B2

公开(公告)日：2021-04-20

申请号：US15938015

申请日：2018-03-28

Applicant: Intel Corporation

Inventor： Koichi Yamada ,  Sevin F. Varoglu ,  Ajay Harikumar ,  Alex Nayshtut

IPC: G06F21/52 ,  G06F21/55 ,  G06F21/56

Abstract: After a heuristic event counter in a processor has triggered a performance monitoring interrupt (PMI) when the processor was executing a target program in user mode, and after the processor has switched to kernel mode in response to the PMI, a heuristic event handler automatically performs preliminary analysis in kernel mode, without switching back to user mode, to determine whether heavyweight code analysis is warranted. The preliminary analysis comprises (a) obtaining an instruction pointer (IP) for the target program from a last branch record (LBR) buffer in the processor, (b) using transaction hardware in the processor to determine whether the IP from LBR buffer points to a readable page in memory, and (c) determining that heavyweight code analysis is not warranted in response to a determination that the page pointed to by the IP from LBR buffer is not readable. Other embodiments are described and claimed.

公开(公告)号：US20190042730A1

公开(公告)日：2019-02-07

申请号：US15938015

申请日：2018-03-28

Applicant: Intel Corporation

Inventor： Koichi Yamada ,  Sevin F. Varoglu ,  Ajay Harikumar ,  Alex Nayshtut

IPC: G06F21/52 ,  G06F21/56 ,  G06F21/55

Abstract: After a heuristic event counter in a processor has triggered a performance monitoring interrupt (PMI) when the processor was executing a target program in user mode, and after the processor has switched to kernel mode in response to the PMI, a heuristic event handler automatically performs preliminary analysis in kernel mode, without switching back to user mode, to determine whether heavyweight code analysis is warranted. The preliminary analysis comprises (a) obtaining an instruction pointer (IP) for the target program from a last branch record (LBR) buffer in the processor, (b) using transaction hardware in the processor to determine whether the IP from LBR buffer points to a readable page in memory, and (c) determining that heavyweight code analysis is not warranted in response to a determination that the page pointed to by the IP from LBR buffer is not readable. Other embodiments are described and claimed.

公开(公告)号：US11126721B2

公开(公告)日：2021-09-21

申请号：US16021411

申请日：2018-06-28

Applicant: Intel Corporation

Inventor： Alex Nayshtut ,  Vadim Sukhomlinov ,  Koichi Yamada ,  Ajay Harikumar ,  Venkat Gokulrangan

IPC: H04L29/06 ,  G06F21/56 ,  G06F21/55

Abstract: The disclosed embodiments generally relate to detecting malware through detection of micro-architectural changes (morphing events) when executing a code at a hardware level (e.g., CPU). An exemplary embodiment relates to a computer system having: a memory circuitry comprising an executable code; a central processing unit (CPU) in communication with the memory circuitry and configured to execute the code; a performance monitoring unit (PMU) associated with the CPU, the PMU configured to detect and count one or more morphing events associated with execution of the code and to determine if the counted number of morphine events exceed a threshold value; and a co-processor configured to initiate a memory scan of the memory circuitry to identify a malware in the code.

公开(公告)号：US10789056B2

公开(公告)日：2020-09-29

申请号：US15202745

申请日：2016-07-06

Applicant: Intel Corporation

Inventor： Koichi Yamada ,  Jose A. Baiocchi Paredes ,  Abhik Sarkar ,  Ajay Harikumar ,  Jiwei Lu

IPC: G06F8/52 ,  G06F8/61

Abstract: Technologies for binary translation include a computing device that allocates a translation cache shared by all threads associated with a corresponding execution domain. The computing device assigns a thread to an execution domain, translates original binary code of the thread to generate translated binary code, and installs the translated binary code into the corresponding translation cache for execution. The computing device may allocate a global region cache, generate region metadata associated with the original binary code of a thread, and store the region metadata in the global region cache. The original binary code may be translated using the region metadata. The computing device may allocate a global prototype cache, translate the original binary code of a thread to generate prototype code, and install the prototype code in the global prototype cache. The prototype code may be a non-executable version of the translated binary code. Other embodiments are described and claimed.

公开(公告)号：US10395033B2

公开(公告)日：2019-08-27

申请号：US15281825

申请日：2016-09-30

Applicant: Intel Corporation

Inventor： Tugrul Ince ,  Koichi Yamada ,  Ajay Harikumar ,  Alex Nayshtut

IPC: G06F21/56 ,  G06F11/36 ,  G06F21/52

Abstract: In one embodiment, a binary translator to perform binary translation of code is to: perform a first binary analysis of a first code block to determine whether a second control transfer instruction is included in the first code block, where the first code block includes a return target of a first control transfer instruction; perform a second binary analysis of a second code block to determine whether the second code block includes the first control transfer instruction, where the second code block includes a call target of the second control transfer instruction; and store an address pair associated with the first control transfer instruction in a whitelist if the second control transfer instruction is included in the first code block and the first control transfer instruction is included in the second code block. Other embodiments are described and claimed.