-
公开(公告)号:US20190095649A1
公开(公告)日:2019-03-28
申请号:US16185944
申请日:2018-11-09
申请人: Intel Corporation
发明人: MICHAEL LEMAY
摘要: Generally, this disclosure provides systems, devices, methods and computer readable media for secure memory page mapping in a virtual machine (VM) environment. The system may include a processor configured to execute a virtual machine monitor (VMM). The VMM may be configured to maintain a table of cryptographic keys and associate a token with one of the memory pages to be mapped from a guest linear address (GLA) to a guest physical address (GPA). The token may include a key identifier (key ID) associated with one of the cryptographic keys, and an authentication code based on the GLA, the GPA, and one of the cryptographic keys. The system may also include a page walk processor configured to validate the token to indicate that the memory page associated with the token is authorized to be mapped from the GLA to the GPA.
-
公开(公告)号:US20170315926A1
公开(公告)日:2017-11-02
申请号:US15652028
申请日:2017-07-17
申请人: INTEL CORPORATION
IPC分类号: G06F12/1009 , G06F12/1027 , G06F21/00 , G06F9/455 , G06F12/14
CPC分类号: G06F12/1009 , G06F9/45533 , G06F9/45558 , G06F12/1027 , G06F12/1483 , G06F21/00 , G06F21/53 , G06F2009/45583 , G06F2009/45587 , G06F2212/1024 , G06F2212/1052 , G06F2212/151 , G06F2212/651 , G06F2212/657 , G06F2212/68 , G06F2221/2141
摘要: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.
-
公开(公告)号:US20160378678A1
公开(公告)日:2016-12-29
申请号:US14750982
申请日:2015-06-25
申请人: Intel Corporation
CPC分类号: G06F12/1009 , G06F9/45533 , G06F9/45558 , G06F12/1027 , G06F12/1483 , G06F21/00 , G06F21/53 , G06F2009/45583 , G06F2009/45587 , G06F2212/1024 , G06F2212/1052 , G06F2212/151 , G06F2212/651 , G06F2212/657 , G06F2212/68 , G06F2221/2141
摘要: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.
摘要翻译: 通常,本公开提供了用于页表编辑控制器的系统,方法和计算机可读介质,其被配置为通过操纵扩展页表来控制虚拟机(VM)客户软件对访客页表的访问。 该系统可以包括翻译后备缓冲器(TLB),以维护将一个或多个客户线性地址(GLA)锁定到一个或多个允许的访客物理地址(GPA)的策略; 页面处理器,用于根据访客页表更新TLB; 以及页表编辑控制(PTEC)模块,用于:识别将与所述策略相关联的GLA映射到第一GPA的所述访客页表的条目; 验证映射是否符合策略; 并且基于验证,应用于VM访客和页面移动处理器的受限辅助功能,将访客页面表放入多个受限访问状态之一。
-
公开(公告)号:US20210200687A1
公开(公告)日:2021-07-01
申请号:US16728928
申请日:2019-12-27
申请人: Intel Corporation
发明人: DAVID M. DURHAM , JACOB DOWECK , MICHAEL LEMAY , DEEPAK GUPTA
IPC分类号: G06F12/1027
摘要: An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.
-
公开(公告)号:US20200241997A1
公开(公告)日:2020-07-30
申请号:US16845512
申请日:2020-04-10
申请人: Intel Corporation
发明人: MICHAEL LEMAY , BEEMAN STRONG
摘要: Processor trace systems and methods are described. For example, one embodiment comprises executing instrumented code by a compiler, the instrumented code including at least one call to un-instrumented code. The compiler can determine the at least one call to un-instrumented code is a next call to be executed. A resume tracing instruction can be inserted into the instrumented code prior to the at least one call to the un-instrumented code. The resume tracing instruction can be executed to selectively add processor tracing to the at least one call to the un-instrumented code, and the at least one call to the un-instrumented code can be executed.
-
公开(公告)号:US20190205238A1
公开(公告)日:2019-07-04
申请号:US15859142
申请日:2017-12-29
申请人: Intel Corporation
发明人: MICHAEL LEMAY , BEEMAN STRONG
CPC分类号: G06F11/3466 , G06F11/3024 , G06F21/577 , G06F2221/033
摘要: Processor trace systems and methods are described. For example, one embodiment comprises executing instrumented code by a compiler, the instrumented code including at least one call to un-instrumented code. The compiler can determine the at least one call to un-instrumented code is a next call to be executed. A resume tracing instruction can be inserted into the instrumented code prior to the at least one call to the un-instrumented code. The resume tracing instruction can be executed to selectively add processor tracing to the at least one call to the un-instrumented code, and the at least one call to the un-instrumented code can be executed.
-
公开(公告)号:US20180373871A1
公开(公告)日:2018-12-27
申请号:US15629458
申请日:2017-06-21
申请人: INTEL CORPORATION
发明人: MICHAEL LEMAY
摘要: Techniques and computing devices for mitigating return-oriented programming (ROP) attacks are described. A hardened stack and an unhardened stack are provided. The hardened stack can include indications of return addresses while the unhardened stack can include all other memory allocations. A stack hardening instruction can be inserted before unhardened instructions (e.g., instructions that are themselves not authorized to access the hardened stack). The stack hardening instruction determines whether the unhardened instruction accessed memory outside the unhardened stack and generates a fault based on the determination. A register can be provided to include an indication of an address span of the unsafe stack. The stack hardening instruction can determine whether the unhardened instruction accessed a memory location outside the address range specified in the register and generate a fault accordingly.
-
公开(公告)号:US20180129808A1
公开(公告)日:2018-05-10
申请号:US15811469
申请日:2017-11-13
申请人: INTEL CORPORATION
发明人: MICHAEL LEMAY , DAVID M. DURHAM
CPC分类号: G06F21/566 , G06F21/567 , G06F2221/032 , H04L63/1416 , H04L63/145
摘要: Various embodiments are generally directed to techniques for detecting malware in a manner that mitigates the consumption of processing and/or storage resources of a processing device. An apparatus may include a first processor component of a processing device to generate entries in a chronological order within a first page modification log maintained within a first storage divided into multiple pages, each entry to indicate a write access made by the first processor component to a page of the multiple pages; a retrieval component of a graphics controller of the processing device to recurringly retrieve indications from the first page modification log of at least one recently written page of the multiple pages; and a scan component of the graphics controller to recurringly scan the at least one recently written page to detect malware within the at least one recently written page.
-
公开(公告)号:US20210311883A1
公开(公告)日:2021-10-07
申请号:US17321087
申请日:2021-05-14
申请人: Intel Corporation
发明人: DAVID M. DURHAM , JACOB DOWECK , MICHAEL LEMAY , DEEPAK GUPTA
IPC分类号: G06F12/1027
摘要: An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.
-
公开(公告)号:US20200159673A1
公开(公告)日:2020-05-21
申请号:US16686379
申请日:2019-11-18
申请人: Intel Corporation
发明人: RAVI L. SAHITA , GILBERT NEIGER , VEDVYAS SHANBHOGUE , DAVID M. DURHAM , ANDREW V. ANDERSON , DAVID A. KOUFATY , ASIT K. MALLICK , ARUMUGAM THIYAGARAJAH , BARRY E. HUNTLEY , DEEPAK K. GUPTA , MICHAEL LEMAY , JOSEPH F. CIHULA , BAIJU V. PATEL
IPC分类号: G06F12/14 , G06F9/455 , G06F12/1009 , G06F12/1027
摘要: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.
-
-
-
-
-
-
-
-
-
搜索结果
17 条记录 (耗时 0.018 秒)
