公开(公告)号：US20240283813A1

公开(公告)日：2024-08-22

申请号：US18453199

申请日：2023-08-21

Applicant: Mellanox Technologies, Ltd.

Inventor： Rami Ailabouni ,  Meni Orenbach ,  Ahmad Atamli

IPC: H04L9/40 ,  G06F9/455

CPC classification number: H04L63/1441 ,  G06F9/45558 ,  H04L63/1416 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: A system includes a data processing unit (DPU). The DPU is to receive a notification associated with a virtualized computing environment on a host system coupled to the DPU. The DPU is associated with a security characteristic. A threat type associated with the threat is identified. Based on at least one of the threat type associated with the threat or the security characteristic of the virtualized computing environment, a threat prevention operation to address the threat is determined. The threat prevention operation is caused to be performed on the host system.

公开(公告)号：US11741232B2

公开(公告)日：2023-08-29

申请号：US17163599

申请日：2021-02-01

Applicant: MELLANOX TECHNOLOGIES, LTD.

Inventor： Mor Hoyda Sfadia ,  Yuval Itkin ,  Ahmad Atamli ,  Ariel Shahar ,  Yaniv Strassberg ,  Itsik Levi

IPC: G06F21/57 ,  G06F8/65 ,  G06F9/445

CPC classification number: G06F21/572 ,  G06F8/65 ,  G06F9/445 ,  G06F2221/033

Abstract: A computer system includes a volatile memory and at least one processor. The volatile memory includes a protected storage segment (PSS) configured to store firmware-authentication program code for authenticating firmware of the computer system. The at least one processor is configured to receive a trigger to switch to a given version of the firmware, to obtain, in response to the trigger, a privilege to access the PSS, to authenticate the given version of the firmware by executing the firmware-authentication program code from the PSS, to switch to the given version of the firmware upon successfully authenticating the given version, and to take an alternative action upon failing to authenticate the given version.

公开(公告)号：US20230068546A1

公开(公告)日：2023-03-02

申请号：US17890850

申请日：2022-08-18

Applicant: Mellanox Technologies, Ltd.

Inventor： Thanh Ngoc Nguyen ,  Meni Orenbach ,  Ahmad Atamli

IPC: G06F9/455 ,  G06F9/448

Abstract: Technologies for system call trace reconstruction are described. A method includes determining, by one or more processors, a set of memory locations of a kernel memory structure. The set of memory locations stores data indicating one or more parameters of a user-associated process. The method further includes determining that a first value of a first of the set of memory location has changed. The method further includes determining an execution of a first system call associated with the user-associated process and the kernel memory structure. The method further includes retrieving one or more values corresponding to individual memory location of the set of memory location associated with the first system call. The method further includes providing an output identifying the first system call based on the one or more values corresponding to the individual memory locations.

公开(公告)号：US20220245251A1

公开(公告)日：2022-08-04

申请号：US17163599

申请日：2021-02-01

Applicant: MELLANOX TECHNOLOGIES, LTD.

Inventor： Mor Hoyda Sfadia ,  Yuval Itkin ,  Ahmad Atamli ,  Ariel Shahar ,  Yaniv Strassberg ,  Itsik Levi

IPC: G06F21/57 ,  G06F8/65 ,  G06F9/445

Abstract: A computer system includes a volatile memory and at least one processor. The volatile memory includes a protected storage segment (PSS) configured to store firmware-authentication program code for authenticating firmware of the computer system. The at least one processor is configured to receive a trigger to switch to a given version of the firmware, to obtain, in response to the trigger, a privilege to access the PSS, to authenticate the given version of the firmware by executing the firmware-authentication program code from the PSS, to switch to the given version of the firmware upon successfully authenticating the given version, and to take an alternative action upon failing to authenticate the given version.

公开(公告)号：US20240202315A1

公开(公告)日：2024-06-20

申请号：US18084964

申请日：2022-12-20

Applicant: Mellanox Technologies, Ltd.

Inventor： Ahmad Atamli ,  Ilan Pardo ,  Miriam Menes ,  Shahaf Shuler ,  Meni Orenbach ,  Uria Basher

IPC: G06F21/53

CPC classification number: G06F21/53 ,  G06F2221/033

Abstract: The technology disclosed herein enables selective clearing of memory regions upon a context switch. An example method includes the operations of: receiving a memory access request referencing a memory region; determining an identifier of a current execution context associated with the memory region; determining an identifier of a previous execution context specified by metadata associated with the memory region; responsive to determining that the identifier of the current execution context does not match the identifier of the previous execution context, updating the metadata associated with the memory region to store the identifier of the current execution context; clearing at least a part of the memory region; and processing the memory access request with respect to the memory region.

公开(公告)号：US20230273808A1

公开(公告)日：2023-08-31

申请号：US18104086

申请日：2023-01-31

Applicant: Mellanox Technologies, Ltd.

Inventor： Ahmad Atamli ,  Meni Orenbach ,  Miriam Menes ,  Shahaf Shuler

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: The technology disclosed herein enables a Trusted Execution Environment (TEE) to be extended to an auxiliary device that handles persistently storing data in a security enhanced manner. Extending the trusted computing base to the auxiliary device may involve establishing an auxiliary TEE in the auxiliary device and a trusted communication link between the primary and auxiliary TEEs. The primary TEE may include the computing resources of the primary devices (e.g., CPU and host memory) and the auxiliary TEE may include the computing resources of the auxiliary devices (e.g., hardware accelerators and auxiliary memory). The trusted communication link may enable the auxiliary TEE to access data of the primary TEE that is otherwise inaccessible to all software executing external to the primary TEE (e.g., host operating system and hypervisor). The auxiliary device may use the auxiliary TEE to process the data to avoid compromising the security enhancements provided by the primary TEE.

公开(公告)号：US12259963B2

公开(公告)日：2025-03-25

申请号：US17676890

申请日：2022-02-22

Applicant: MELLANOX TECHNOLOGIES, LTD.

Inventor： Boris Pismenny ,  Miriam Menes ,  Ahmad Atamli ,  Ilan Pardo ,  Ariel Shahar ,  Uria Basher

IPC: G06F21/53 ,  G06F9/50 ,  G06F13/28 ,  G06F21/79

Abstract: A confidential computing (CC) apparatus includes a CPU and a peripheral device. The CPU is to run a hypervisor that hosts one or more Trusted Virtual Machines (TVMs). The peripheral device is coupled to the CPU and to an external memory. The CPU includes a TVM-Monitor (TVMM), to perform management operations on the one or more TVMs, to track memory space that is allocated by the hypervisor to the peripheral device in the external memory, to monitor memory-access requests issued by the hypervisor to the memory space allocated to the peripheral device in the external memory, and to permit or deny the memory-access requests, according to a criterion.

公开(公告)号：US12032680B2

公开(公告)日：2024-07-09

申请号：US17709815

申请日：2022-03-31

Applicant: Mellanox Technologies, Ltd.

Inventor： Ahmad Atamli ,  Rami Ailabouni ,  Ahmad Saleh ,  Ariel Levanon ,  Thanh Nguyen ,  Mark Overby

IPC: G06F21/53 ,  G06F21/60

CPC classification number: G06F21/53 ,  G06F21/606 ,  G06F2221/033

Abstract: The technology disclosed herein enables an auxiliary device to run a service that can access and analyze data of a Trusted Execution Environment (TEE). The auxiliary device may establish an auxiliary TEE in the auxiliary device and establish a trusted communication link between the auxiliary TEE and the TEE (i.e., primary TEE). The primary TEE may execute a target program using the primary devices of a host device (e.g., CPU) and the auxiliary TEE may execute a security program using the auxiliary device (e.g., DPU). In one example, the primary and auxiliary TEEs may be established for a cloud consumer and the auxiliary TEE may execute a security service that can monitor data of the primary TEE even though the data is inaccessible to all other software executing external to the primary TEE (e.g., inaccessible to host operating system and hypervisor).

公开(公告)号：US20230297666A1

公开(公告)日：2023-09-21

申请号：US17709815

申请日：2022-03-31

Applicant: Mellanox Technologies, Ltd.

Inventor： Ahmad Atamli ,  Rami Ailabouni ,  Ahmad Saleh ,  Ariel Levanon ,  Thanh Nguyen ,  Mark Overby

IPC: G06F21/53 ,  G06F21/60

CPC classification number: G06F21/53 ,  G06F21/606 ,  G06F2221/033

Abstract: The technology disclosed herein enables an auxiliary device to run a service that can access and analyze data of a Trusted Execution Environment (TEE). The auxiliary device may establish an auxiliary TEE in the auxiliary device and establish a trusted communication link between the auxiliary TEE and the TEE (i.e., primary TEE). The primary TEE may execute a target program using the primary devices of a host device (e.g., CPU) and the auxiliary TEE may execute a security program using the auxiliary device (e.g., DPU). In one example, the primary and auxiliary TEEs may be established for a cloud consumer and the auxiliary TEE may execute a security service that can monitor data of the primary TEE even though the data is inaccessible to all other software executing external to the primary TEE (e.g., inaccessible to host operating system and hypervisor).

公开(公告)号：US12223051B2

公开(公告)日：2025-02-11

申请号：US18349147

申请日：2023-07-09

Applicant: Mellanox Technologies, Ltd.

Inventor： Mor Hoyda Sfadia ,  Yuval Itkin ,  Ahmad Atamli ,  Ariel Shahar ,  Yaniv Strassberg ,  Itsik Levi

IPC: G06F21/57 ,  G06F8/65 ,  G06F9/445

Abstract: A computer system includes a volatile memory and at least one processor. The volatile memory includes a protected storage segment (PSS) configured to store firmware-authentication program code for authenticating firmware of the computer system. The at least one processor is configured to receive a trigger to switch to a given version of the firmware, to obtain, in response to the trigger, a privilege to access the PSS, to authenticate the given version of the firmware by executing the firmware-authentication program code from the PSS, to switch to the given version of the firmware upon successfully authenticating the given version, and to take an alternative action upon failing to authenticate the given version.