公开(公告)号：US20170249260A1

公开(公告)日：2017-08-31

申请号：US15088739

申请日：2016-04-01

申请人： RAVI L. SAHITA ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  DAVID A. KOUFATY ,  ASIT K. MALLICK ,  ARUMUGAM THIYAGARAJAH ,  BARRY E. HUNTLEY ,  DEEPAK K. GUPTA ,  MICHAEL LEMAY ,  JOSEPH F. CIHULA ,  BAIJU V. PATEL

发明人： RAVI L. SAHITA ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  DAVID A. KOUFATY ,  ASIT K. MALLICK ,  ARUMUGAM THIYAGARAJAH ,  BARRY E. HUNTLEY ,  DEEPAK K. GUPTA ,  MICHAEL LEMAY ,  JOSEPH F. CIHULA ,  BAIJU V. PATEL

IPC分类号： G06F12/14 ,  G06F12/10 ,  G06F21/62 ,  G06F3/06

摘要： This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US20150378930A1

公开(公告)日：2015-12-31

申请号：US14317571

申请日：2014-06-27

申请人： RAVI L. SAHITA ,  GILBERT NEIGER ,  DAVID M. DURHAM ,  VEDVYAS SHANBHOGUE ,  MICHAEL LEMAY ,  IDO OUZIEL ,  STANISLAV SHWARTSMAN ,  BARRY HUNTLEY ,  ANDREW V. ANDERSON

发明人： RAVI L. SAHITA ,  GILBERT NEIGER ,  DAVID M. DURHAM ,  VEDVYAS SHANBHOGUE ,  MICHAEL LEMAY ,  IDO OUZIEL ,  STANISLAV SHWARTSMAN ,  BARRY HUNTLEY ,  ANDREW V. ANDERSON

IPC分类号： G06F12/10

CPC分类号： G06F12/1009 ,  G06F9/45558 ,  G06F12/145 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/651 ,  G06F2212/657 ,  Y02D10/13

摘要： Systems and methods for validating virtual address translation. An example processing system comprises: a processing core to execute a first application associated with a first privilege level and a second application associated with a second privilege level, wherein a first set of privileges associated with the first privilege level includes a second set of privileges associated with the second privilege level; and an address validation component to validate, in view of an address translation data structure maintained by the first application, a mapping of a first address defined in a first address space of the second application to a second address defined in a second address space of the second application.

摘要翻译： 用于验证虚拟地址转换的系统和方法。 示例性处理系统包括：处理核心，用于执行与第一特权级别相关联的第一应用程序和与第二权限级别相关联的第二应用程序，其中与所述第一权限级别相关联的第一组权限包括相关联的第二组权限 具有第二个特权级别; 以及地址确认部件，鉴于由第一应用维护的地址转换数据结构，验证在第二应用的第一地址空间中定义的第一地址到第二地址空间中定义的第二地址 第二个应用。

公开(公告)号：US20230043506A1

公开(公告)日：2023-02-09

申请号：US17873668

申请日：2022-07-26

申请人： DAVID M. DURHAM ,  JACOB DOWECK ,  MICHAEL LEMAY ,  DEEPAK GUPTA

发明人： DAVID M. DURHAM ,  JACOB DOWECK ,  MICHAEL LEMAY ,  DEEPAK GUPTA

IPC分类号： G06F12/1027

摘要： An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.

公开(公告)号：US20170185773A1

公开(公告)日：2017-06-29

申请号：US14757945

申请日：2015-12-24

申请人： MICHAEL LEMAY ,  DAVID M. DURHAM

发明人： MICHAEL LEMAY ,  DAVID M. DURHAM

IPC分类号： G06F21/56 ,  H04L29/06

CPC分类号： G06F21/566 ,  G06F21/567 ,  G06F2221/032 ,  H04L63/1416 ,  H04L63/145

摘要： Various embodiments are generally directed to techniques for detecting malware in a manner that mitigates the consumption of processing and/or storage resources of a processing device. An apparatus may include a first processor component of a processing device to generate entries in a chronological order within a first page modification log maintained within a first storage divided into multiple pages, each entry to indicate a write access made by the first processor component to a page of the multiple pages; a retrieval component of a graphics controller of the processing device to recurringly retrieve indications from the first page modification log of at least one recently written page of the multiple pages; and a scan component of the graphics controller to recurringly scan the at least one recently written page to detect malware within the at least one recently written page.

公开(公告)号：US20190044971A1

公开(公告)日：2019-02-07

申请号：US16024089

申请日：2018-06-29

申请人： VADIM SUKHOMLINOV ,  KSHITIJ DOSHI ,  MICHAEL LEMAY ,  DMITRY BABOKIN ,  AREG MELIK-ADAMYAN

发明人： VADIM SUKHOMLINOV ,  KSHITIJ DOSHI ,  MICHAEL LEMAY ,  DMITRY BABOKIN ,  AREG MELIK-ADAMYAN

IPC分类号： H04L29/06 ,  G06F21/57 ,  G06F9/455

摘要： Embodiments are directed toward techniques to detect a first function associated with an address space initiating a call instruction to a second function in the address space, the first function to call the second function in a deprivileged mode of operation, and define accessible address ranges for segments of the address space for the second function, each segment to a have a different address range in the address space where the second function is permitted to access in the deprivileged mode of operation, Embodiments include switching to the stack associated with the second address space and the second function, and initiating execution of the second function in the deprivileged mode of operation