公开(公告)号：US11531750B2

公开(公告)日：2022-12-20

申请号：US16937155

申请日：2020-07-23

Applicant: Intel Corporation

Inventor： David M. Durham ,  Karanvir S. Grewal ,  Sergej Deutsch ,  Michael Lemay

IPC: G06F9/455 ,  G06F21/53 ,  G06F21/57 ,  H04L9/40

Abstract: Systems, apparatuses and methods may provide for technology that associates a key domain of a plurality of key domains with a customer boot image, receives the customer boot image from the customer, and verifies the integrity of the customer boot image that is to be securely installed at memory locations determined from an untrusted privileged entity (e.g., a virtual machine manager).

公开(公告)号：US11409662B2

公开(公告)日：2022-08-09

申请号：US17321087

申请日：2021-05-14

Applicant: Intel Corporation

Inventor： David M. Durham ,  Jacob Doweck ,  Michael Lemay ,  Deepak Gupta

IPC: G06F12/10 ,  G06F12/1027

Abstract: An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.

公开(公告)号：US20220214879A1

公开(公告)日：2022-07-07

申请号：US17703121

申请日：2022-03-24

Applicant: Intel Corporation

Inventor： Michael Lemay ,  David M. Durham

IPC: G06F9/30 ,  G06F9/50 ,  G06F21/60

Abstract: Systems, methods, and apparatuses for generating a protected stack allocation pointer. In certain examples, a hardware processor core comprises a decoder circuit to decode a single instruction into a decoded single instruction, the single instruction comprising one or more fields to indicate a stack allocation index as an operand, and an opcode to indicate that an execution circuit is to generate a stack allocation pointer to reference an address in a stack and an address in a shadow stack; and an execution circuit to execute the decoded single instruction according to the opcode.

公开(公告)号：US11163569B2

公开(公告)日：2021-11-02

申请号：US16729358

申请日：2019-12-28

Applicant: Intel Corporation

Inventor： Michael Lemay ,  Vedvyas Shanbhogue ,  Deepak Gupta ,  Ravi Sahita ,  David M. Durham ,  Willem Pinckaers ,  Enrico Perla

IPC: G06F16/90 ,  G06F12/14 ,  G06F12/1009 ,  G06F9/30 ,  G06F9/38 ,  G06F16/901 ,  G06F9/46 ,  G06F9/448

Abstract: Systems, methods, and apparatuses relating to circuitry to implement individually revocable capabilities for enforcing temporal memory safety are described. In one embodiment, a hardware processor comprises an execution unit to execute an instruction to request access to a block of memory through a pointer to the block of memory, and a memory controller circuit to allow access to the block of memory when an allocated object tag in the pointer is validated with an allocated object tag in an entry of a capability table in memory that is indexed by an index value in the pointer, wherein the memory controller circuit is to clear the allocated object tag in the capability table when a corresponding object is deallocated.

公开(公告)号：US10884952B2

公开(公告)日：2021-01-05

申请号：US15282954

申请日：2016-09-30

Applicant: Intel Corporation

Inventor： Michael Lemay ,  David A Koufaty ,  Ravi Sahita

IPC: G06F11/00 ,  G06F12/14 ,  G06F21/53 ,  G06F21/56 ,  G06F12/1009

Abstract: Enforcing memory operand types using protection keys is generally described herein. A processor system to provide sandbox execution support for protection key rights attacks includes a processor core to execute a task associated with an untrusted application and execute the task using a designated page of a memory; and a memory management unit to designate the page of the memory to support execution of the untrusted application.

公开(公告)号：US10860709B2

公开(公告)日：2020-12-08

申请号：US16024547

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Michael Lemay ,  David M. Durham ,  Michael E. Kounavis ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Jason W. Brandt ,  Josh Triplett ,  Gilbert Neiger ,  Karanvir Grewal ,  Baiju V. Patel ,  Ye Zhuang ,  Jr-Shian Tsai ,  Vadim Sukhomlinov ,  Ravi Sahita ,  Mingwei Zhang ,  James C. Farwell ,  Amitabh Das ,  Krishna Bhuyan

IPC: G06F21/53 ,  G06F12/02

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

公开(公告)号：US09710393B2

公开(公告)日：2017-07-18

申请号：US14750982

申请日：2015-06-25

Applicant: Intel Corporation

Inventor： Michael Lemay ,  David M. Durham ,  Andrew V. Anderson ,  Gilbert Neiger ,  Ravi L. Sahita

IPC: G06F12/00 ,  G06F12/1009 ,  G06F12/1027 ,  G06F12/14 ,  G06F9/455 ,  G06F21/00

CPC classification number: G06F12/1009 ,  G06F9/45533 ,  G06F9/45558 ,  G06F12/1027 ,  G06F12/1483 ,  G06F21/00 ,  G06F21/53 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/1024 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/651 ,  G06F2212/657 ,  G06F2212/68 ,  G06F2221/2141

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.

公开(公告)号：US11922220B2

公开(公告)日：2024-03-05

申请号：US17255588

申请日：2019-04-16

Applicant: Intel Corporation

Inventor： Mohammad R. Haghighat ,  Kshitij Doshi ,  Andrew J. Herdrich ,  Anup Mohan ,  Ravishankar R. Iyer ,  Mingqiu Sun ,  Krishna Bhuyan ,  Teck Joo Goh ,  Mohan J. Kumar ,  Michael Prinke ,  Michael Lemay ,  Leeor Peled ,  Jr-Shian Tsai ,  David M. Durham ,  Jeffrey D. Chamberlain ,  Vadim A. Sukhomlinov ,  Eric J. Dahlen ,  Sara Baghsorkhi ,  Harshad Sane ,  Areg Melik-Adamyan ,  Ravi Sahita ,  Dmitry Yurievich Babokin ,  Ian M. Steiner ,  Alexander Bachmutsky ,  Anil Rao ,  Mingwei Zhang ,  Nilesh K. Jain ,  Amin Firoozshahian ,  Baiju V. Patel ,  Wenyong Huang ,  Yeluri Raghuram

IPC: G06F9/50 ,  G06F9/52 ,  G06F11/30 ,  G06F11/34 ,  G06F21/53 ,  G06F21/56 ,  G06F21/60 ,  G06N20/00

CPC classification number: G06F9/5061 ,  G06F9/52 ,  G06F11/302 ,  G06F11/3495 ,  G06F21/53 ,  G06F21/604 ,  G06F21/56 ,  G06F2209/521 ,  G06F2221/033 ,  G06N20/00

Abstract: Embodiments of systems, apparatuses and methods provide enhanced function as a service (FaaS) to users, e.g., computer developers and cloud service providers (CSPs). A computing system configured to provide such enhanced FaaS service include one or more controls architectural subsystems, software and orchestration subsystems, network and storage subsystems, and security subsystems. The computing system executes functions in response to events triggered by the users in an execution environment provided by the architectural subsystems, which represent an abstraction of execution management and shield the users from the burden of managing the execution. The software and orchestration subsystems allocate computing resources for the function execution by intelligently spinning up and down containers for function code with decreased instantiation latency and increased execution scalability while maintaining secured execution. Furthermore, the computing system enables customers to pay only when their code gets executed with a granular billing down to millisecond increments.

公开(公告)号：US11734199B2

公开(公告)日：2023-08-22

申请号：US18074232

申请日：2022-12-02

Applicant: Intel Corporation

Inventor： Michael Lemay ,  David A Koufaty ,  Ravi L. Sahita

IPC: G06F12/14 ,  G06F21/53 ,  G06F21/56 ,  G06F12/1009

CPC classification number: G06F12/1466 ,  G06F21/53 ,  G06F21/566 ,  G06F12/1009 ,  G06F2212/1052 ,  G06F2221/034

Abstract: Enforcing memory operand types using protection keys is generally described herein. A processor system to provide sandbox execution support for protection key rights attacks includes a processor core to execute a task associated with an untrusted application and execute the task using a designated page of a memory; and a memory management unit to designate the page of the memory to support execution of the untrusted application.

公开(公告)号：US20220222183A1

公开(公告)日：2022-07-14

申请号：US17704771

申请日：2022-03-25

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael Lemay

IPC: G06F12/14 ,  G06F9/30

Abstract: Embodiments are directed to tagless implicit integrity with multi-perspective pattern search for memory safety. An embodiment of an apparatus includes one or more processors comprising hardware circuitry to: access encrypted data stored in a memory hierarchy using a pointer; decrypt the encrypted data using a current version of a pointer tag of the pointer to yield first decrypted data; perform an entropy test on the first decrypted data; responsive to the entropy test failing to detect patterns in the first decrypted data, re-decrypt the encrypted data using one or more different versions of the pointer tag of the pointer to yield one or more other decrypted data; perform the entropy test on the one or more other decrypted versions; and responsive to the entropy test detecting the patterns in the one or more other decrypted data, signal an exception to the one or more processors with respect to the encrypted data.