公开(公告)号：US11650818B2

公开(公告)日：2023-05-16

申请号：US17404890

申请日：2021-08-17

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Jason W. Brandt ,  Ravi L. Sahita ,  Xiaoning Li

IPC: G06F21/54 ,  G06F21/00 ,  G06F9/30 ,  G06F9/38 ,  G06F21/55

CPC classification number: G06F9/3005 ,  G06F9/30054 ,  G06F9/30145 ,  G06F9/3857 ,  G06F9/3861 ,  G06F9/3865 ,  G06F9/3867 ,  G06F21/554

Abstract: A processor includes an execution unit and a processing logic operatively coupled to the execution unit, the processing logic to: enter a first execution state and transition to a second execution state responsive to executing a control transfer instruction. Responsive to executing a target instruction of the control transfer instruction, the processing logic further transitions to the first execution state responsive to the target instruction being a control transfer termination instruction of a mode identical to a mode of the processing logic following the execution of the control transfer instruction; and raises an execution exception responsive to the target instruction being a control transfer termination instruction of a mode different than the mode of the processing logic following the execution of the control transfer instruction.

公开(公告)号：US20220019432A1

公开(公告)日：2022-01-20

申请号：US17404890

申请日：2021-08-17

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Jason W. Brandt ,  Ravi L. Sahita ,  Xiaoning Li

IPC: G06F9/30 ,  G06F9/38 ,  G06F21/55

Abstract: A processor includes an execution unit and a processing logic operatively coupled to the execution unit, the processing logic to: enter a first execution state and transition to a second execution state responsive to executing a control transfer instruction. Responsive to executing a target instruction of the control transfer instruction, the processing logic further transitions to the first execution state responsive to the target instruction being a control transfer termination instruction of a mode identical to a mode of the processing logic following the execution of the control transfer instruction; and raises an execution exception responsive to the target instruction being a control transfer termination instruction of a mode different than the mode of the processing logic following the execution of the control transfer instruction.

公开(公告)号：US11055401B2

公开(公告)日：2021-07-06

申请号：US15720083

申请日：2017-09-29

Applicant: Intel Corporation

Inventor： Mingwei Zhang ,  Mingqiu Sun ,  Ravi L. Sahita ,  Chunhui Zhang ,  Xiaoning Li

IPC: H04L29/00 ,  G06F21/53 ,  G06F8/41 ,  G06F9/38 ,  G06F21/12

Abstract: Technologies for untrusted code execution include a computing device having a processor with sandbox support. The computing device executes code included in a native domain in a non-privileged, native processor mode. The computing device may invoke a sandbox jump processor instruction during execution of the code in the native domain to enter a sandbox domain. The computing device executes code in the sandbox domain in a non-privileged, sandbox processor mode in response to invoking the sandbox jump instruction. While executing in the sandbox processor mode, the processor denies access to memory outside of the sandbox domain and may deny execution of one or more prohibited instructions. From the sandbox domain, the computing device may execute a sandbox exit instruction to exit the sandbox domain and resume execution in the native domain. The computing device may execute processor instructions to configure the sandbox domain. Other embodiments are described and claimed.

公开(公告)号：US10325108B2

公开(公告)日：2019-06-18

申请号：US15394958

申请日：2016-12-30

Applicant: Intel Corporation

Inventor： Xiaoning Li ,  Ravi L. Sahita ,  Benjamin W. Boyer ,  Sanjeev Trika ,  Adrian Pearson

IPC: G06F21/62 ,  G06F3/06 ,  G06F21/52 ,  G06F21/78

Abstract: In one embodiment, a system comprises a processor to, in response to a determination that a write command is suspect, identify a logical address associated with the write command; and send a checkpoint command identifying the logical address to a storage device to preserve data stored in the storage device at a physical address associated with the logical address.

公开(公告)号：US20160283410A1

公开(公告)日：2016-09-29

申请号：US14667125

申请日：2015-03-24

Applicant: Intel Corporation

Inventor： Rodrigo Rubira Branco ,  Xiaoning Li

IPC: G06F12/14 ,  G06F21/62

CPC classification number: G06F12/1458 ,  G06F21/52 ,  G06F2212/1052

Abstract: Systems, apparatuses and methods may provide for identifying a stack pointer associated with a sequence of code being executed on a computing system and counting a number of exchange updates to the stack pointer. Additionally, a hardware interrupt may be generated if the number of exchange updates reaches a threshold. In one example, the hardware interrupt is a performance monitoring interrupt.

Abstract translation: 系统，装置和方法可以提供用于识别与在计算系统上执行的代码序列相关联的堆栈指针，并且对堆栈指针的多个交换更新进行计数。 另外，如果交换更新次数达到阈值，则可能会产生硬件中断。 在一个示例中，硬件中断是性能监视中断。

公开(公告)号：US09268707B2

公开(公告)日：2016-02-23

申请号：US13730920

申请日：2012-12-29

Applicant: Intel Corporation

Inventor： Ravi L. Sahita ,  Xiaoning Li ,  Manohar R. Castelino

IPC: G06F12/02 ,  G06F12/10 ,  G06F9/455 ,  G06F12/14

CPC classification number: G06F12/109 ,  G06F9/45533 ,  G06F9/45558 ,  G06F12/0292 ,  G06F12/1009 ,  G06F12/145 ,  G06F2009/45583 ,  G06F2212/151 ,  G06F2212/657

Abstract: Methods and apparatus relating to low overhead paged memory runtime protection are described. In an embodiment, permission information for guest physical mapping are received prior to utilization of paged memory by an Operating System (OS) based on the guest physical mapping. The permission information is provided through an Extended Page Table (EPT). Other embodiments are also described.

Abstract translation: 描述了与低开销分页存储器运行时保护有关的方法和装置。 在一个实施例中，客户物理映射的许可信息在基于客户物理映射的操作系统（OS）利用分页存储器之前被接收。 许可信息通过扩展页表（EPT）提供。 还描述了其它实施例。

公开(公告)号：US11847206B2

公开(公告)日：2023-12-19

申请号：US17367106

申请日：2021-07-02

Applicant: Intel Corporation

Inventor： Mingwei Zhang ,  Mingqiu Sun ,  Ravi L. Sahita ,  Chunhui Zhang ,  Xiaoning Li

IPC: H04L29/00 ,  G06F21/53 ,  G06F8/41 ,  G06F9/38 ,  G06F21/12

CPC classification number: G06F21/53 ,  G06F8/441 ,  G06F9/3836 ,  G06F21/126 ,  G06F2221/2143

Abstract: Technologies for untrusted code execution include a computing device having a processor with sandbox support. The computing device executes code included in a native domain in a non-privileged, native processor mode. The computing device may invoke a sandbox jump processor instruction during execution of the code in the native domain to enter a sandbox domain. The computing device executes code in the sandbox domain in a non-privileged, sandbox processor mode in response to invoking the sandbox jump instruction. While executing in the sandbox processor mode, the processor denies access to memory outside of the sandbox domain and may deny execution of one or more prohibited instructions. From the sandbox domain, the computing device may execute a sandbox exit instruction to exit the sandbox domain and resume execution in the native domain. The computing device may execute processor instructions to configure the sandbox domain. Other embodiments are described and claimed.

公开(公告)号：US10311252B2

公开(公告)日：2019-06-04

申请号：US15459640

申请日：2017-03-15

Applicant: Intel Corporation

Inventor： Xiaoning Li ,  Mingqiu Sun ,  David A. Koufaty ,  Ravi L. Sahita

IPC: G06F21/00 ,  G06F21/62

Abstract: Technologies for managed code execution include a computing device having a processor with protection key support. The computing device sets a protection key register of the processor with permissions to disallow data access to any protection domain of the computing device and then executes a domain switch routine to switch to a managed applet. The managed applet is included in an applet protection domain, the domain switch routine is included in a switch protection domain, and a managed runtime environment is included in a normal protection domain. The domain switch routine sets the protection key register with permissions to disallow access to any protection domain other than the applet protection domain and then executes the managed applet. Other managed applets may be each be included in separate applet domains. Each managed applet may be a thread executed within a common process address space. Other embodiments are described and claimed.

公开(公告)号：US20180268170A1

公开(公告)日：2018-09-20

申请号：US15459640

申请日：2017-03-15

Applicant: Intel Corporation

Inventor： Xiaoning Li ,  Mingqiu Sun ,  David A. Koufaty ,  Ravi L. Sahita

IPC: G06F21/62

CPC classification number: G06F21/6281

Abstract: Technologies for managed code execution include a computing device having a processor with protection key support. The computing device sets a protection key register of the processor with permissions to disallow data access to any protection domain of the computing device and then executes a domain switch routine to switch to a managed applet. The managed applet is included in an applet protection domain, the domain switch routine is included in a switch protection domain, and a managed runtime environment is included in a normal protection domain. The domain switch routine sets the protection key register with permissions to disallow access to any protection domain other than the applet protection domain and then executes the managed applet. Other managed applets may be each be included in separate applet domains. Each managed applet may be a thread executed within a common process address space. Other embodiments are described and claimed.

公开(公告)号：US09893897B2

公开(公告)日：2018-02-13

申请号：US14929476

申请日：2015-11-02

Applicant: Intel Corporation

Inventor： Xiaoning Li ,  Karanvir S. Grewal ,  Geoffrey H. Cooper ,  John R. Guzik

IPC: H04L9/32 ,  G06F11/30 ,  G06F21/00 ,  H04L29/06

CPC classification number: H04L9/3273 ,  G06F11/30 ,  G06F21/00 ,  H04L63/0227 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/0464 ,  H04L63/166 ,  H04L2209/24

Abstract: Technologies are provided in example embodiments for analyzing an encrypted network flow. The technologies include monitoring the encrypted network flow between a first node and a second node, the network flow initiated from the first node; duplicating the encrypted network flow to form a copy of the encrypted network flow; decrypting the copy of the encrypted network flow using a shared secret, the shared secret associated with the first node and the second node; and scanning the network flow copy for targeted data.