公开(公告)号：WO2019070195A1

公开(公告)日：2019-04-11

申请号：PCT/SG2018/050493

申请日：2018-09-28

Applicant: HUAWEI INTERNATIONAL PTE. LTD.

Inventor： DAI, Ting ,  WU, Yongzheng ,  LI, Tieyan

IPC: G06F21/79 ,  G06F21/55 ,  H04L9/00 ,  G06F12/14

CPC classification number: G06F21/79 ,  G06F12/145 ,  G06F21/556 ,  G06F2212/1052 ,  H04L9/004 ,  H04L2209/12

Abstract: A computer implemented method (200) for preventing rowhammer attack in a computing device is disclosed. The device has memory which includes a plurality of untrusted memory portions and a plurality of trusted memory portions, the plurality of untrusted memory portions and trusted memory portions being distributed within the memory. The method comprises: determining (202) respective trusted memory portions that are arranged physically contiguous to respective at least one untrusted memory portion to provide an identified set of trusted memory portions, the respective untrusted memory portions being accessible to perform the attack on the respective trusted memory portions; determining (204) trusted memory portions in the identified set of trusted memory portions that are movable to a different memory location in the memory; moving (206) the movable trusted memory portions to an available memory location in the memory to form a block of trusted memory portions; generating (208) at least one memory guard portion; and configuring (210) the memory guard portion to be arranged at an end of the block of trusted memory portions that is physically contiguous to an untrusted memory portion. The memory guard portion prevents electrical-interaction between the block of trusted memory portions and the untrusted memory portion to prevent the attack.

公开(公告)号：WO2017203199A1

公开(公告)日：2017-11-30

申请号：PCT/GB2017/050965

申请日：2017-04-06

Applicant: ARM IP LIMITED

Inventor： MERIAC, Milosch ,  ANGELINO, Alessandro

IPC: G06F9/46

CPC classification number: G06F21/556 ,  G06F1/24 ,  G06F9/455 ,  G06F9/461 ,  G06F2221/031

Abstract: A technology for mutually isolating accessors of a shared electronic device from leakage of context data after a context switch comprises: on making the shared electronic device available to the plurality of accessors, establishing a portion of storage as an indicator location for the shared electronic device; when a first accessor requests use of the shared electronic device, writing at least one device-reset-required indicator to the indicator location; on switching context to a new context, after context save, when a second accessor requests use of the shared electronic device, resetting context data of the shared electronic device to a known state and reconciling the first device- reset- required indicator and a second device-reset-required indicator for the new context.

Abstract translation: 用于在上下文切换之后相互隔离共享电子设备的访问器免于上下文数据的泄露的技术包括：在使共享电子设备对多个访问器可用时，将存储的一部分建立为 共享电子设备的指示符位置; 当第一存取器请求使用共享电子设备时，向指示器位置写入至少一个需要设备重置指示符; 在将上下文切换到新的上下文之后，在上下文保存之后，当第二访问器请求使用共享电子设备时，将共享电子设备的上下文数据重置为已知状态并且协调第一设备重置要求指示符和第二设备 - 新的上下文需要指示符。

公开(公告)号：WO2017034668A1

公开(公告)日：2017-03-02

申请号：PCT/US2016/039910

申请日：2016-06-28

Applicant: SYMANTEC CORPORATION

Inventor： PARKER-WOOD, Aleatha ,  GARDNER, Andrew

IPC: G06F21/55

CPC classification number: G06F21/552 ,  G06F21/556 ,  G06F2221/033

Abstract: Suspicious file prospecting activity is detected based on patterns of file system access. A user's file system access is monitored over a specific time period. A sequence of the file accesses (e.g., represented as path names) made by the user during the time period is recorded. Distances between the recorded file accesses are determined, for example as edit distances. A distance sequence is recorded, comprising a record of the determined distances. The distance sequence is reduced to one or more baseline statistics describing the pattern of the user's access of the file system during the given period of time. At least one subsequent anomaly in the user' s access of the file system is detected, by comparing at least one subsequently calculated statistic representing at least one subsequent pattern of the user's file system access to the at least one baseline statistic.

Abstract translation: 基于文件系统访问模式检测到可疑文件检索活动。 在特定时间段内监视用户的文件系统访问。 记录用户在该时间段期间进行的文件访问（例如，表示为路径名）的顺序。 确定记录的文件访问之间的距离，例如作为编辑距离。 记录距离序列，包括确定的距离的记录。 距离序列减少到描述用户在给定时间段内文件系统的访问模式的一个或多个基线统计信息。 通过将表示用户文件系统访问的至少一个后续模式的至少一个随后计算的统计量与至少一个基线统计量进行比较来检测文件系统的用户访问中的至少一个后续异常。

公开(公告)号：WO2016061742A1

公开(公告)日：2016-04-28

申请号：PCT/CN2014/089008

申请日：2014-10-21

Applicant: INTELLECTUAL VENTURES HONG KONG LIMITED

Inventor： WANG, Jianping ,  ZHANG, Rui ,  QI, Wen

IPC: H04L9/00

CPC classification number: G06F21/577 ,  G06F9/45558 ,  G06F21/556 ,  G06F2009/45587 ,  G06F2221/034 ,  G06N7/005

Abstract: Technologies are generally described for a framework to automatically estimate cross-VM covert channel capacity for channels such as central processing unit (CPU) load, CPU L2 cache, memory bus and disk bus. In some examples, the framework may include automated parameter tuning for various cross-VM covert channels to achieve high data rate and automated capacity estimation of those cross-VM covert channels through machine learning. Shannon Entropy formulation may be applied to estimate the capacity of cross-VM covert channels established on any given cloud platform. Furthermore, the noise of a cross-VM covert channel under a specific cloud platform may be statistically modeled to eliminate the covert channel implementations which perform poorly, thereby narrowing the parameter space. A number of sample signals may be collected with their corresponding ground truth labels, and machine learning tools may be utilized to cross-validate the samples and estimate the capacity of the covert channels.

Abstract translation: 技术通常被描述为用于自动估计诸如中央处理单元（CPU）负载，CPU L2高速缓存，存储器总线和盘总线之类的通道的跨VM隐蔽通道容量的框架。 在一些示例中，框架可以包括用于各种跨VM隐蔽通道的自动参数调整，以通过机器学习实现那些跨VM隐蔽通道的高数据速率和自动容量估计。 可以应用香农熵公式来估计在任何给定的云平台上建立的跨VM隐蔽通道的容量。 此外，特定云平台下的跨VM隐蔽通道的噪声可以被统计学建模，以消除执行不良的隐蔽通道实现，从而缩小参数空间。 可以利用其对应的地面真实标签来收集多个采样信号，并且可以利用机器学习工具来交叉验证样本并估计隐蔽通道的容量。

公开(公告)号：WO2015200044A1

公开(公告)日：2015-12-30

申请号：PCT/US2015/035997

申请日：2015-06-16

Applicant: QUALCOMM INCORPORATED

Inventor： PATNE, Satyajit Prabhakar ,  GUPTA, Rajarshi ,  XIAO, Lu

IPC: G06F21/55

CPC classification number: H04L63/1416 ,  G06F21/556 ,  G06F2221/2125 ,  H04L63/1433

Abstract: A computing device may use machine learning techniques to determine the level, degree, and severity of its vulnerability to side channel attacks. The computing device may intelligently and selectively perform obfuscation operations (e.g., operations to raise the noise floor) to prevent side channel attacks based on the determined level, degree, or severity of its current vulnerability to such attacks. The computing device may also monitor the current level of natural obfuscation produced by the device, determining whether there is sufficient natural obfuscation to prevent a side channel attack during an ongoing critical activity, and perform the obfuscation operation during the ongoing critical activity and in response to determining that there is not sufficient natural obfuscation to adequately protect the computing device against side channel attacks.

Abstract translation: 计算设备可以使用机器学习技术来确定其侧向通道攻击的漏洞的级别，程度和严重性。 计算设备可以智能地和选择性地执行模糊操作（例如，提高噪声底层的操作），以基于其当前对这种攻击的脆弱性的确定的水平，程度或严重性来防止侧信道攻击。 计算设备还可以监视由设备产生的自然混淆的当前水平，确定在持续的关键活动期间是否存在足够的自然混淆以防止侧信道攻击，并且在正在进行的关键活动期间执行混淆操作，并响应于 确定没有足够的自然混淆来充分保护计算设备免受侧向信道攻击。

公开(公告)号：WO2015119522A3

公开(公告)日：2015-11-26

申请号：PCT/RO2014050002

申请日：2014-11-03

Applicant: BITDEFENDER IPR MAN LTD ,  TOSA RAUL-VASILE

Inventor： TOSA RAUL-VASILE

IPC: G06F21/52

CPC classification number: G06F21/52 ,  G06F21/554 ,  G06F21/556 ,  G06F21/566 ,  G06F2221/033 ,  G06F2221/2101

Abstract: Described systems and methods allow protecting a computer system from malware, such as return-oriented programming (ROP) exploits. In some embodiments, a set of references are identified within a call stack used by a thread of a target process, each reference pointing into the memory space of an executable module loaded by the target process. Each such reference is analyzed to determine whether it points to a ROP gadget, and whether the respective reference was pushed on the stack by a legitimate function call. In some embodiments, a ROP score is indicative of whether the target process is subject to a ROP attack, the score determined according to a count of references to a loaded module, according to a stack footprint of the respective module, and further according to a count of ROP gadgets identified within the respective module.

Abstract translation: 所描述的系统和方法允许保护计算机系统免受恶意软件的攻击，诸如返回导向编程（ROP）漏洞。 在一些实施例中，在由目标进程的线程使用的调用堆栈内标识一组引用，每个引用指向由目标进程加载的可执行模块的存储器空间。 分析每个这样的参考以确定它是否指向ROP小工具，以及是否通过合法的函数调用将相应的参考压入堆栈。 在一些实施例中，ROP分数指示目标进程是否受到ROP攻击，分数根据相应模块的堆栈覆盖区根据对加载模块的引用的计数来确定，并且进一步根据 在相应模块内识别的ROP小配件的数量。

公开(公告)号：WO2015150323A1

公开(公告)日：2015-10-08

申请号：PCT/EP2015/056890

申请日：2015-03-30

Applicant: IRDETO B.V.

Inventor： GU, Yuan Xiang ,  JOHNSON, Harold

IPC: G06F21/55

CPC classification number: G06F21/556 ,  G06F2221/033

Abstract: There is described a method of protecting an item of software so as to obfuscate a condition which causes a variation in control flow through a portion of the item of software dependent on whether the condition is satisfied, wherein satisfaction of the condition is based on evaluation of one or more condition variables. The method comprises: (i) modifying the item of software such that the control flow through said portion is not dependent on whether the condition is satisfied; and (ii) inserting a plurality of identity transformations into expressions in said portion of the modified item of software, wherein the identity transformations are defined and inserted such that, in the absence of tampering, they maintain the results of the expressions if the condition is satisfied and such that they alter the results of the expressions if the condition is not satisfied, wherein each identity transformation is directly or indirectly dependent on at least one of the one or more condition variables. New variables may be defined as part of this method There are also described associated apparatuses, computer programs and the like.

Abstract translation: 描述了一种保护软件项目的方法，以便根据该条件是否满足来模糊导致软件项目的一部分的控制流程变化的条件，其中条件满足是基于 一个或多个条件变量。 该方法包括：（i）修改软件项目，使得通过所述部分的控制流程不依赖于条件是否满足; 并且（ii）将多个身份变换插入到所述修改的软件项目的所述部分中的表达中，其中所述身份变换被定义和插入，使得在没有篡改的情况下，如果所述条件是 并且如果条件不满足则它们改变表达式的结果，其中每个身份变换直接或间接地依赖于一个或多个条件变量中的至少一个。 新变量可以被定义为该方法的一部分还描述了相关联的设备，计算机程序等。

公开(公告)号：WO2014124276A1

公开(公告)日：2014-08-14

申请号：PCT/US2014/015331

申请日：2014-02-07

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： HURWITZ, Joshua, B. ,  FU, Zhi ,  KUHLMAN, Douglas, A.

IPC: H04L29/06 ,  H04L29/08 ,  G06F21/62

CPC classification number: G06F21/6263 ,  G06F21/556 ,  G06F2221/2117 ,  H04L63/0245 ,  H04L63/102

Abstract: Determining sensitive information and preventing the unauthorized or unintended dissemination of such information are disclosed. Terms are determined from documents associated with users in a network. Distributions among users and relative frequencies with which the terms are used are determined. Link strengths between users are calculated. Based on the distribution of the terms, the relative frequencies of use among the user profiles and link strengths between users conducting information transactions that include the terms, a sensitivity level for each term can be determined. To determine whether a particular information transaction with particular terms may be conducted between two users in the network, a combination of link strength between the users and sensitivity level of the terms with respect to the users or users' profiles are considered. If the information transaction includes terms that are unknown to one of the users, then a warning or alarm can be raised.

Abstract translation: 披露敏感信息的确定和防止未经授权或意外传播此类信息。 术语由与网络中的用户相关联的文档确定。 确定用户之间的分布和使用这些术语的相对频率。 计算用户之间的链接强度。 根据术语的分配，可以确定用户简档之间的相对使用频率和进行包括术语的信息交易的用户之间的链接强度，每个术语的灵敏度级别。 为了确定是否可以在网络中的两个用户之间进行具体特定术语的特定信息交易，考虑用户之间的链路强度和相对于用户或用户简档的术语的灵敏度级别的组合。 如果信息交易包含一个用户未知的条款，则可以提出警告或警报。

公开(公告)号：WO2013172913A3

公开(公告)日：2014-06-19

申请号：PCT/US2013027871

申请日：2013-02-27

Applicant: UNIV COLUMBIA ,  SETHUMADHAVAN LAKSHMINARASIMHAN ,  MARTIN ROBERT ,  DEMME JOHN

Inventor： SETHUMADHAVAN LAKSHMINARASIMHAN ,  MARTIN ROBERT ,  DEMME JOHN

IPC: G06F12/14

CPC classification number: H04L9/005 ,  G06F21/556 ,  G06F21/75

Abstract: Disclosed are devices, systems, apparatus, methods, products, and other implementations, including a method that includes identifying a process to obtain timing information of a processor-based device, and in response to identifying the process to obtain the timing information, delaying delivery of the timing information for a time-delay period. In some embodiments, identifying the process to obtain the timing information may include identifying a request to obtain the timing information of the processor-based device. In some embodiments, identifying the process to obtain the timing information may include identifying a memory-access process.

Abstract translation: 公开的是设备，系统，装置，方法，产品和其他实施方式，包括一种方法，其包括识别获得基于处理器的设备的定时信息的过程，以及响应于识别获得定时信息的过程，延迟传送 的时间延迟周期的定时信息。 在一些实施例中，识别获得定时信息的过程可以包括识别获得基于处理器的设备的定时信息的请求。 在一些实施例中，识别获得定时信息的过程可以包括识别存储器访问过程。

公开(公告)号：WO2014028005A1

公开(公告)日：2014-02-20

申请号：PCT/US2012/050767

申请日：2012-08-14

Applicant: EMPIRE TECHNOLOGY DEVELOPMENT LLC ,  MAYTAL, Benjamin

Inventor： MAYTAL, Benjamin

IPC: G06F11/00

CPC classification number: G06F21/556 ,  G06F21/572 ,  G06F21/755 ,  G06F2221/033 ,  H04L9/002

Abstract: Technologies for preventing software -based side-channel attacks are generally disclosed. In some examples, a computing device may receive a cryptographic program having one or more programming instructions for performing a key handling operation and may add one or more programming instructions for performing an anti-attack operation to the one or more programming instructions for performing the key handling operation. The computing device may transmit the resulting cryptographic program with the anti-attack operation to an execution device. The execution device, such as a cloud computing system, may execute the cryptographic program, thereby causing execution of the anti-attack operation. The execution of cryptographic program may prevent a side-channel attack by masking the number of key performance events that occur.

Abstract translation: 通常公开了用于防止基于软件的侧信道攻击的技术。 在一些示例中，计算设备可以接收具有用于执行密钥处理操作的一个或多个编程指令的加密程序，并且可以向用于执行密钥的一个或多个编程指令添加用于执行防攻击操作的一个或多个编程指令 处理操作。 计算设备可以将所得到的具有防攻击操作的加密程序发送到执行设备。 诸如云计算系统的执行装置可以执行密码程序，从而执行防攻击操作。 加密程序的执行可以通过掩盖发生的关键性能事件的数量来阻止侧信道攻击。