-
公开(公告)号:US20210111892A1
公开(公告)日:2021-04-15
申请号:US17131684
申请日:2020-12-22
申请人: Anjo Lucas Vahldiek-Oberwagner , Ravi L. Sahita , Mona Vij , Dayeol Lee , Haidong Xia , Rameshkumar Illikkal , Samuel Ortiz , Kshitij Arun Doshi , Mourad Cherfaoui , Andrzej Kuriata , Teck Joo Goh
发明人: Anjo Lucas Vahldiek-Oberwagner , Ravi L. Sahita , Mona Vij , Dayeol Lee , Haidong Xia , Rameshkumar Illikkal , Samuel Ortiz , Kshitij Arun Doshi , Mourad Cherfaoui , Andrzej Kuriata , Teck Joo Goh
IPC分类号: H04L9/32
摘要: In function-as-a-service (FaaS) environments, a client makes use of a function executing within a trusted execution environment (TEE) on a FaaS server. Multiple tenants of the FaaS platform may provide functions to be executed by the FaaS platform via a gateway. Each tenant may provide code and data for any number of functions to be executed within any number of TEEs on the FaaS platform and accessed via the gateway. Additionally, each tenant may provide code and data for a single surrogate attester TEE. The client devices of the tenant use the surrogate attester TEE to attest each of the other TEEs of the tenant and establish trust with the functions in those TEEs. Once the functions have been attested, the client devices have confidence that the other TEEs of the tenant are running on the same platform as the gateway.
-
公开(公告)号:US20210109870A1
公开(公告)日:2021-04-15
申请号:US17131751
申请日:2020-12-23
申请人: Ravi L. Sahita , Anjo Lucas Vahldiek-Oberwagner , Teck Joo Goh , Rameshkmar Illikkal , Andrzej Kuriata , Vedvyas Shanbhogue , Mona Vij , Haidong Xia
发明人: Ravi L. Sahita , Anjo Lucas Vahldiek-Oberwagner , Teck Joo Goh , Rameshkmar Illikkal , Andrzej Kuriata , Vedvyas Shanbhogue , Mona Vij , Haidong Xia
IPC分类号: G06F12/14 , G06F21/53 , G06F21/60 , G06F21/79 , G06F12/1009
摘要: Example methods and systems are directed to isolating memory in trusted execution environments (TEEs). In function-as-a-service (FaaS) environments, a client makes use of a function executing within a TEE on a FaaS server. To minimize the trusted code base (TCB) for each function, each function may be placed in a separate TEE. However, this causes the overhead of creating a TEE to be incurred for each function. As discussed herein, multiple functions may be placed in a single TEE without compromising the data integrity of each function. For example, by using a different extended page table (EPT) for each function, the virtual address spaces of the functions are kept separate and map to different, non-overlapping physical address spaces. Partial overlap may be permitted to allow functions to share some data while protecting other data. Memory for each function may be encrypted using a different encryption key.
-
公开(公告)号:US20210110070A1
公开(公告)日:2021-04-15
申请号:US17131716
申请日:2020-12-22
申请人: Anjo Lucas Vahldiek-Oberwagner , Ravi L. Sahita , Mona Vij , Rameshkumar Illikkal , Michael Steiner , Thomas Knauth , Dmitrii Kuvaiskii , Sudha Krishnakumar , Krystof C. Zmudzinski , Vincent Scarlata , Francis McKeen
发明人: Anjo Lucas Vahldiek-Oberwagner , Ravi L. Sahita , Mona Vij , Rameshkumar Illikkal , Michael Steiner , Thomas Knauth , Dmitrii Kuvaiskii , Sudha Krishnakumar , Krystof C. Zmudzinski , Vincent Scarlata , Francis McKeen
摘要: Example methods and systems are directed to reducing latency in providing trusted execution environments (TEES). Initializing a TEE includes multiple steps before the TEE starts executing. Besides workload-specific initialization, workload-independent initialization is performed, such as adding memory to the TEE. In function-as-a-service (FaaS) environments, a large portion of the TEE is workload-independent, and thus can be performed prior to receiving the workload. Certain steps performed during TEE initialization are identical for certain classes of workloads. Thus, the common parts of the TEE initialization sequence may be performed before the TEE is requested. When a TEE is requested for a workload in the class and the parts to specialize the TEE for its particular purpose are known, the final steps to initialize the TEE are performed.
-
4.发明申请公开(公告)号:US20160283714A1
公开(公告)日:2016-09-29
申请号:US14670988
申请日:2015-03-27
申请人: Michael LeMay , Ravi L. Sahita , Beeman C. Strong , Thilo Schmitt , Yuriy Bulygin , Markus T. Metzger
发明人: Michael LeMay , Ravi L. Sahita , Beeman C. Strong , Thilo Schmitt , Yuriy Bulygin , Markus T. Metzger
摘要: Technologies for control flow exploit mitigation include a computing device having a processor with real-time instruction tracing support. During execution of a process, the processor generates trace data indicative of control flow of the process. The computing device analyzes the trace data to identify suspected control flow exploits. The computing device may use heuristic algorithms to identify return-oriented programming exploits. The computing device may maintain a shadow stack based on the trace data. The computing device may identify indirect branches to unauthorized addresses based on the trace data to identify jump-oriented programming exploits. The computing device may check the trace data whenever the process is preempted. The processor may detect mispredicted return instructions in real time and invoke a software handler in the process space of the process to verify and maintain the shadow stack. Other embodiments are described and claimed.
摘要翻译: 用于控制流利用减轻的技术包括具有具有实时指令跟踪支持的处理器的计算设备。 在处理过程中,处理器产生指示过程控制流的跟踪数据。 计算设备分析跟踪数据以识别可疑的控制流攻击。 计算设备可以使用启发式算法来识别返回导向的编程漏洞。 计算设备可以基于跟踪数据来维护阴影栈。 计算设备可以基于跟踪数据来识别对未授权地址的间接分支,以识别面向跳跃的编程漏洞。 每当进程被抢占时,计算设备可以检查跟踪数据。 处理器可以实时地检测错误的返回指令,并且在该过程的过程空间中调用软件处理程序以验证和维护该影子栈。 描述和要求保护其他实施例。
-
公开(公告)号:US09286245B2
公开(公告)日:2016-03-15
申请号:US13995360
申请日:2011-12-30
申请人: David M. Durham , Ravi L. Sahita , Prashant Dewan
发明人: David M. Durham , Ravi L. Sahita , Prashant Dewan
CPC分类号: G06F12/1458 , G06F21/121 , G06F21/50 , G06F21/79
摘要: Embodiments of apparatuses and methods for hardware enforced memory access permissions are disclosed. In one embodiment, a processor includes address translation hardware and memory access hardware. The address translation hardware is to support translation of a first address, used by software to access a memory, to a second address, used by the processor to access the memory. The memory access hardware is to detect an access permission violation.
摘要翻译: 公开了用于硬件强制存储器访问许可的装置和方法的实施例。 在一个实施例中,处理器包括地址转换硬件和存储器访问硬件。 地址转换硬件是支持由软件使用的访问存储器的第一地址到由处理器使用以访问存储器的第二地址的翻译。 内存访问硬件是检测访问权限冲突。
-
6.发明申请PROTECTED MEMORY VIEW FOR NESTED PAGE TABLE ACCESS BY VIRTUAL MACHINE GUESTS 审中-公开受保护的内存视图,用于虚拟机客户访问的页面表公开(公告)号:US20140380009A1
公开(公告)日:2014-12-25
申请号:US14127561
申请日:2013-06-24
CPC分类号: G06F12/145 , G06F9/30076 , G06F9/45558 , G06F12/1009 , G06F12/1491 , G06F2009/45583 , G06F2212/1052 , G06F2212/151
摘要: Generally, this disclosure provides systems, methods and computer readable media for a protected memory view in a virtual machine (VM) environment enabling nested page table access by trusted guest software outside of VMX root mode. The system may include an editor module configured to provide access to a nested page table structure, by operating system (OS) kernel components and by user space applications within a guest of the VM, wherein the nested page table structure is associated with one of the protected memory views. The system may also include a page handling processor configured to secure that access by maintaining security information in the nested page table structure.
摘要翻译: 通常,本公开提供了用于虚拟机(VM)环境中的受保护的存储器视图的系统,方法和计算机可读介质,其实现了受VMX根模式之外的受信任客户机的嵌套页表访问。 该系统可以包括被配置为通过操作系统(OS)内核组件和由VM的来宾内的用户空间应用提供对嵌套页表结构的访问的编辑器模块,其中嵌套页表结构与 受保护的内存视图。 该系统还可以包括页面处理处理器,其被配置为通过维护嵌套页表结构中的安全信息来保护该访问。
-
公开(公告)号:US20140157410A1
公开(公告)日:2014-06-05
申请号:US13690401
申请日:2012-11-30
申请人: Prashant Dewan , Uday R. Savagaonkar , David M. Durham , Paul S. Schmitz , Jason Martin , Michael Goldsmith , Ravi L. Sahita , Frank X McKeen , Carlos Rozas , Vembu Balaji , Scott Janus , Geoffrey S. Strongin , Xiaozhu Kang , Karanvir S. Grewal , Siddhartha Chhabra , Alpha T. Narendra Trivedi
发明人: Prashant Dewan , Uday R. Savagaonkar , David M. Durham , Paul S. Schmitz , Jason Martin , Michael Goldsmith , Ravi L. Sahita , Frank X McKeen , Carlos Rozas , Vembu Balaji , Scott Janus , Geoffrey S. Strongin , Xiaozhu Kang , Karanvir S. Grewal , Siddhartha Chhabra , Alpha T. Narendra Trivedi
IPC分类号: G06F21/64
摘要: In accordance with some embodiments, a protected execution environment may be defined for a graphics processing unit. This framework not only protects the workloads from malware running on the graphics processing unit but also protects those workloads from malware running on the central processing unit. In addition, the trust framework may facilitate proof of secure execution by measuring the code and data structures used to execute the workload. If a part of the trusted computing base of this framework or protected execution environment is compromised, that part can be patched remotely and the patching can be proven remotely throughout attestation in some embodiments.
摘要翻译: 根据一些实施例,可以为图形处理单元定义受保护的执行环境。 该框架不仅保护了图形处理单元上运行的恶意软件的工作负载,还保护了这些工作负载免受中央处理单元上运行的恶意软件。 此外,信任框架可以通过测量用于执行工作负载的代码和数据结构来促进安全执行的证明。 如果该框架或受保护的执行环境的可信计算基础的一部分受到损害,那么该部分可以被远程修补,并且在一些实施例中可以通过验证远程验证修补。
-
8.发明授权Secure handling of interrupted events utilizing a virtual interrupt definition table 有权使用虚拟中断定义表安全处理中断的事件公开(公告)号:US08578080B2
公开(公告)日:2013-11-05
申请号:US13175544
申请日:2011-07-01
CPC分类号: G06F13/24 , G06F9/45558 , G06F21/53 , G06F2009/45579
摘要: Various embodiments of this disclosure may describe method, apparatus and system for reducing system latency caused by switching memory page permission views between programs while still protecting critical regions of the memory from attacks of malwares. Other embodiments may be disclosed and claimed.
摘要翻译: 本公开的各种实施例可以描述用于减少由程序之间切换存储器页面许可视图而引起的系统延迟的方法,装置和系统,同时仍保护存储器的关键区域免受恶意软件的攻击。 可以公开和要求保护其他实施例。
-
公开(公告)号:US20130191577A1
公开(公告)日:2013-07-25
申请号:US13734834
申请日:2013-01-04
IPC分类号: G06F12/08
CPC分类号: G06F12/1458 , G06F9/45533 , G06F9/468 , G06F11/1484 , G06F11/2056 , G06F12/08 , G06F12/1009 , G06F12/1425 , G06F12/145 , G06F12/1483 , G06F2009/45583 , G06F2009/45587 , G06F2201/815 , G06F2201/84 , G06F2212/1052 , G06F2212/657
摘要: Embodiments of techniques and systems for increasing efficiencies in computing systems using virtual memory are described. In embodiments, instructions which are located in two memory pages in a virtual memory system, such that one of the pages does not permit execution of the instructions located therein, are identified and then executed under temporary permissions that permit execution of the identified instructions. In various embodiments, the temporary permissions may come from modified virtual memory page tables, temporary virtual memory page tables which allow for execution, and/or emulators which have root access. In embodiments, per-core virtual memory page tables may be provided to allow two cores of a computer processor to operate in accordance with different memory access permissions. in embodiments, a physical page permission table may be utilized to provide for maintenance and tracking of per-physical-page memory access permissions. Other embodiments may be described and claimed.
摘要翻译: 描述了使用虚拟存储器提高计算系统效率的技术和系统的实施例。 在实施例中,位于虚拟存储器系统中的两个存储器页面中的指令,使得页面中的一个不允许执行位于其中的指令,并且然后在允许执行所识别的指令的临时许可下执行。 在各种实施例中,临时许可可来自修改的虚拟内存页表,允许执行的临时虚拟内存页表,和/或具有根访问的仿真器。 在实施例中,可以提供每核心虚拟内存页表以允许计算机处理器的两个核心根据不同的存储器访问许可来操作。 在实施例中,物理页面许可表可以用于提供对每个物理页面存储器访问许可的维护和跟踪。 可以描述和要求保护其他实施例。
-
公开(公告)号:US20130174147A1
公开(公告)日:2013-07-04
申请号:US13341891
申请日:2011-12-30
IPC分类号: G06F9/455
CPC分类号: G06F9/45558 , G06F2009/45583
摘要: Various embodiments of this disclosure may describe method, apparatus and system for reducing system latency caused by switching memory page permission views between programs while still protecting critical regions of the memory from attacks of malwares. Other embodiments may be disclosed and claimed.
摘要翻译: 本公开的各种实施例可以描述用于减少由程序之间切换存储器页面许可视图而引起的系统延迟的方法,装置和系统,同时仍保护存储器的关键区域免受恶意软件的攻击。 可以公开和要求保护其他实施例。
-
-
-
-
-
-
-
-
-
搜索结果
59 条记录 (耗时 0.05 秒)
