公开(公告)号：US20220012055A1

公开(公告)日：2022-01-13

申请号：US17485347

申请日：2021-09-25

申请人： Michael Lemay ,  David M. Durham

发明人： Michael Lemay ,  David M. Durham

IPC分类号： G06F9/30

摘要： Methods, apparatus, systems, and articles of manufacture are disclosed that perform bounds checking on authorized memory allocations during pointer arithmetic. In some examples, instruction decode circuitry decodes an update pointer instruction for a pointer. In some examples, bounds checking circuitry determines an authorized allocation for the pointer, determines one or more exclusion zones and poison zones for the pointer. In some examples, bounds checking circuitry updates the pointer and generates a fault if the pointer points to one of the exclusion zones and poisons the pointer if the pointer points to one of the poison zones.

公开(公告)号：US10515023B2

公开(公告)日：2019-12-24

申请号：US15088739

申请日：2016-04-01

申请人： Ravi L. Sahita ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  David M. Durham ,  Andrew V. Anderson ,  David A. Koufaty ,  Asit K. Mallick ,  Arumugam Thiyagarajah ,  Barry E. Huntley ,  Deepak K. Gupta ,  Michael Lemay ,  Joseph F. Cihula ,  Baiju V. Patel

发明人： Ravi L. Sahita ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  David M. Durham ,  Andrew V. Anderson ,  David A. Koufaty ,  Asit K. Mallick ,  Arumugam Thiyagarajah ,  Barry E. Huntley ,  Deepak K. Gupta ,  Michael Lemay ,  Joseph F. Cihula ,  Baiju V. Patel

IPC分类号： G06F12/00 ,  G06F12/14 ,  G06F12/1009 ,  G06F9/455 ,  G06F12/1027 ,  G06F21/78

摘要： This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US20160179665A1

公开(公告)日：2016-06-23

申请号：US14581730

申请日：2014-12-23

申请人： Michael LeMay ,  Ravi L. Sahita ,  Barry E. Huntley ,  David M. Durham ,  Vedvyas Shanbhogue

发明人： Michael LeMay ,  Ravi L. Sahita ,  Barry E. Huntley ,  David M. Durham ,  Vedvyas Shanbhogue

IPC分类号： G06F12/08 ,  G06F9/455

CPC分类号： G06F12/08 ,  G06F9/45558 ,  G06F12/1009 ,  G06F12/1491 ,  G06F21/79 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2212/151 ,  G06F2212/657

摘要： Generally, this disclosure provides systems, devices, methods and computer readable media for controlled memory view switching. The system may include a memory module comprising a shared address space between a first memory view and a second memory view. The system may also include a virtual machine monitor (VMM) to maintain a list of Controlled View Switch (CVS) descriptors. The system may further include a processor to receive a memory view switch request and to execute an instruction to save processor state information and switch from the first memory view to the second memory view, wherein the second memory view is specified by an extended page table pointer (EPTP) provided by one of the CVS descriptors.

摘要翻译： 通常，本公开提供了用于受控存储器视图切换的系统，设备，方法和计算机可读介质。 该系统可以包括存储器模块，该存储器模块包括第一存储器视图和第二存储器视图之间的共享地址空间。 该系统还可以包括维护受控视图切换（CVS）描述符的列表的虚拟机监视器（VMM）。 该系统还可以包括处理器，用于接收存储器视图切换请求并且执行用于保存处理器状态信息并从第一存储器视图切换到第二存储器视图的指令，其中第二存储器视图由扩展页表指针 （EPTP）由其中一个CVS描述符提供。

公开(公告)号：US20220382885A1

公开(公告)日：2022-12-01

申请号：US17878322

申请日：2022-08-01

申请人： David M. Durham ,  Michael LeMay ,  Ramya Jayaram Masti ,  Gilbert Neiger ,  Jason W. Brandt

发明人： David M. Durham ,  Michael LeMay ,  Ramya Jayaram Masti ,  Gilbert Neiger ,  Jason W. Brandt

IPC分类号： G06F21/60 ,  G06F12/0897 ,  G06F9/30 ,  G06F9/48 ,  G06F21/72 ,  H04L9/06 ,  G06F12/06 ,  G06F12/0875 ,  G06F21/79 ,  G06F9/455 ,  G06F12/0811 ,  G06F21/12 ,  H04L9/08 ,  G06F12/14 ,  G06F9/32 ,  G06F9/50 ,  G06F12/02 ,  H04L9/14 ,  G06F21/62

摘要： Technologies disclosed herein provide cryptographic computing with cryptographically encoded pointers in multi-tenant environments. An example method comprises executing, by a trusted runtime, first instructions to generate a first address key for a private memory region in the memory and generate a first cryptographically encoded pointer to the private memory region in the memory. Generating the first cryptographically encoded pointer includes storing first context information associated with the private memory region in first bits of the first cryptographically encoded pointer and performing a cryptographic algorithm on a slice of a first linear address of the private memory region based, at least in part, on the first address key and a first tweak, the first tweak including the first context information. The method further includes permitting a first tenant in the multi-tenant environment to access the first address key and the first cryptographically encoded pointer to the private memory region.

公开(公告)号：US20170097898A1

公开(公告)日：2017-04-06

申请号：US14974972

申请日：2015-12-18

申请人： David M. Durham ,  Michael Lemay ,  Men Long

发明人： David M. Durham ,  Michael Lemay ,  Men Long

IPC分类号： G06F12/10 ,  G06F9/30 ,  G06F12/14

CPC分类号： G06F12/1027 ,  G06F9/3005 ,  G06F12/1408 ,  G06F12/1475 ,  G06F2212/402 ,  G06F2212/50 ,  Y02D10/13

摘要： Technologies for execute only transactional memory include a computing device with a processor and a memory. The processor includes an instruction translation lookaside buffer (iTLB) and a data translation lookaside buffer (dTLB). In response to a page miss, the processor determines whether a page physical address is within an execute only transactional (XOT) range of the memory. If within the XOT range, the processor may populate the iTLB with the page physical address and prevent the dTLB from being populated with the page physical address. In response to an asynchronous change of control flow such as an interrupt, the processor determines whether a last iTLB translation is within the XOT range. If within the XOT range, the processor clears or otherwise secures the processor register state. The processor ensures that an XOT range starts execution at an authorized entry point. Other embodiments are described and claimed.

公开(公告)号：US20140380009A1

公开(公告)日：2014-12-25

申请号：US14127561

申请日：2013-06-24

申请人： Michael Lemay ,  David M. Durham ,  Ravi L. Sahita ,  Andrew V. Anderson

发明人： Michael Lemay ,  David M. Durham ,  Ravi L. Sahita ,  Andrew V. Anderson

IPC分类号： G06F12/14 ,  G06F9/455 ,  G06F12/10

CPC分类号： G06F12/145 ,  G06F9/30076 ,  G06F9/45558 ,  G06F12/1009 ,  G06F12/1491 ,  G06F2009/45583 ,  G06F2212/1052 ,  G06F2212/151

摘要： Generally, this disclosure provides systems, methods and computer readable media for a protected memory view in a virtual machine (VM) environment enabling nested page table access by trusted guest software outside of VMX root mode. The system may include an editor module configured to provide access to a nested page table structure, by operating system (OS) kernel components and by user space applications within a guest of the VM, wherein the nested page table structure is associated with one of the protected memory views. The system may also include a page handling processor configured to secure that access by maintaining security information in the nested page table structure.

摘要翻译： 通常，本公开提供了用于虚拟机（VM）环境中的受保护的存储器视图的系统，方法和计算机可读介质，其实现了受VMX根模式之外的受信任客户机的嵌套页表访问。 该系统可以包括被配置为通过操作系统（OS）内核组件和由VM的来宾内的用户空间应用提供对嵌套页表结构的访问的编辑器模块，其中嵌套页表结构与 受保护的内存视图。 该系统还可以包括页面处理处理器，其被配置为通过维护嵌套页表结构中的安全信息来保护该访问。

公开(公告)号：US20180091308A1

公开(公告)日：2018-03-29

申请号：US15816901

申请日：2017-11-17

申请人： David M. Durham ,  Rajat Agarwal ,  Siddhartha Chhabra ,  Sergej Deutsch ,  Karanvir S. Grewal ,  Ioannis T. Schoinas

发明人： David M. Durham ,  Rajat Agarwal ,  Siddhartha Chhabra ,  Sergej Deutsch ,  Karanvir S. Grewal ,  Ioannis T. Schoinas

IPC分类号： H04L9/32 ,  G06F3/06 ,  H04L9/06 ,  G06F11/10 ,  G11C29/52

摘要： In one example, a system for managing encrypted memory comprises a processor to store a first MAC based on data stored in system memory in response to a write operation to the system memory. The processor can also detect a read operation corresponding to the data stored in the system memory, calculate a second MAC based on the data retrieved from the system memory, determine that the second MAC does not match the first MAC, and recalculate the second MAC with a correction operation, wherein the correction operation comprises an XOR operation based on the data retrieved from the system memory and a replacement value for a device of the system memory. Furthermore, the processor can decrypt the data stored in the system memory in response to detecting the recalculated second MAC matches the first MAC and transmit the decrypted data to cache thereby correcting memory errors.

公开(公告)号：US20180046803A1

公开(公告)日：2018-02-15

申请号：US15235806

申请日：2016-08-12

申请人： Xiaoning Li ,  Ravi L. Sahita ,  David M. Durham

发明人： Xiaoning Li ,  Ravi L. Sahita ,  David M. Durham

IPC分类号： G06F21/56 ,  G06F21/52 ,  G06F11/14

CPC分类号： G06F21/566 ,  G06F11/1417 ,  G06F11/302 ,  G06F11/3089 ,  G06F21/54 ,  G06F2201/84

摘要： Technologies for hardware assisted native malware detection include a computing device. The computing device includes one or more processors with hook logic to monitor for execution of branch instructions of an application, compare the monitored branch instructions to filter criteria, and determine whether a monitored branch instruction satisfies the filter criteria. Additionally, the computing device includes a malware detector to provide the filter criteria to the hook logic, provide an address of a callback function to the hook logic to be executed in response to a determination that a monitored branch instruction satisfies the filter criteria, and analyze, in response to execution of the callback function, the monitored branch instruction to determine whether the monitored branch instruction is indicative of malware. Other embodiments are also described and claimed.

公开(公告)号：US09276745B2

公开(公告)日：2016-03-01

申请号：US13976298

申请日：2011-12-15

申请人： David M. Durham ,  Men Long ,  Karanvir S. Grewal ,  Prashant Dewan ,  Xiaozhu Kang

发明人： David M. Durham ,  Men Long ,  Karanvir S. Grewal ,  Prashant Dewan ,  Xiaozhu Kang

IPC分类号： H04L29/06 ,  G06F21/10 ,  H04L9/28 ,  H04L9/06 ,  H04N1/44 ,  G06F21/62 ,  H04N21/2743 ,  H04N21/4405 ,  H04N21/4408 ,  H04N21/4788 ,  H04N21/81

CPC分类号： H04L9/28 ,  G06F21/6263 ,  G06F2221/2107 ,  H04L9/065 ,  H04L63/0428 ,  H04N1/4486 ,  H04N21/2743 ,  H04N21/4405 ,  H04N21/4408 ,  H04N21/4788 ,  H04N21/8153

摘要： An apparatus and method for preserving image privacy when manipulated by cloud services includes middleware for receiving an original image, splitting the original image into two sub-images, where the RGB pixel values of the sub-images have a bit value that is less than RGB pixel values of the original image. The sub-images are encrypted by adding a keystream to the RGB pixel values of the sub-images. The sub-image data is transmitted to a cloud service such as a social network or photo-sharing site, which manipulate the images by resizing, cropping, filtering, or the like. The sub-image data is received by the middleware and is successfully decrypted irrespective of the manipulations performed by the cloud services. In an alternative embodiment, the blocks of the original image are permutated when encrypted, and then reverse-permutated when decrypted.

摘要翻译： 一种用于在由云服务操作时保护图像隐私的装置和方法包括用于接收原始图像的中间件，将原始图像分割成两个子图像，其中子图像的RGB像素值具有小于RGB的比特值 原始图像的像素值。 通过向子图像的RGB像素值添加密钥流来加密子图像。 子图像数据被发送到诸如社交网络或照片共享站点的云服务，其通过调整大小，裁剪，过滤等来操纵图像。 子图像数据由中间件接收，并且被成功解密，而与云服务执行的操作无关。 在替代实施例中，原始图像的块在加密时被置换，然后在被解密时反向排列。

公开(公告)号：US09081947B2

公开(公告)日：2015-07-14

申请号：US13976918

申请日：2011-12-27

申请人： Prashant Dewan ,  David M. Durham ,  Ling Huang ,  Karanvir S. Grewal ,  Xiaozhu Kang

发明人： Prashant Dewan ,  David M. Durham ,  Ling Huang ,  Karanvir S. Grewal ,  Xiaozhu Kang

IPC分类号： G06F21/32 ,  G06K9/78 ,  G06K9/00

CPC分类号： G06F21/32 ,  G06K9/00288 ,  G06K9/00899

摘要： A password-less method for authenticating a user includes capturing one or more images of a face of the user and comparing the one or more images with a previously collected face template. Randomly selected colored light and randomized blinking patterns are used to capture the images of the user. Such captured images are compared to previously collected face templates, thereby thwarting spoof attacks. A secret image, known only to the user and the device, is moved from one area of the display to another randomly selected area, using the movements of the user's head or face, thereby providing a Turing based challenge. Protected audio video path (PAVP) enabled devices and components are used to protect the challenge from malware attacks.

摘要翻译： 用于认证用户的无密码方法包括捕获用户的脸部的一个或多个图像并将一个或多个图像与先前收集的面部模板进行比较。 随机选择的彩色光和随机闪烁图案用于捕获用户的图像。 将这样的拍摄图像与先前收集的面部模板进行比较，从而阻止欺骗攻击。 使用用户和设备已知的秘密图像使用用户头部或脸部的移动从显示器的一个区域移动到另一个随机选择的区域，从而提供基于图灵的挑战。 受保护的音频视频路径（PAVP）启用的设备和组件用于保护挑战免受恶意软件攻击。