公开(公告)号：US11360876B2

公开(公告)日：2022-06-14

申请号：US16845512

申请日：2020-04-10

Applicant: Intel Corporation

Inventor： Michael Lemay ,  Beeman Strong

IPC: G06F11/34 ,  G06F11/30 ,  G06F21/57 ,  G06F21/56

Abstract: Processor trace systems and methods are described. For example, one embodiment comprises executing instrumented code by a compiler, the instrumented code including at least one call to un-instrumented code. The compiler can determine the at least one call to un-instrumented code is a next call to be executed. A resume tracing instruction can be inserted into the instrumented code prior to the at least one call to the un-instrumented code. The resume tracing instruction can be executed to selectively add processor tracing to the at least one call to the un-instrumented code, and the at least one call to the un-instrumented code can be executed.

公开(公告)号：US20210263779A1

公开(公告)日：2021-08-26

申请号：US17255588

申请日：2019-04-16

Applicant: Intel Corporation

Inventor： Mohammad R. Haghighat ,  Kshitij Doshi ,  Andrew J. Herdrich ,  Anup Mohan ,  Ravishankar R. Iyer ,  Mingqiu Sun ,  Krishna Bhuyan ,  Teck Joo Goh ,  Mohan J. Kumar ,  Michael Prinke ,  Michael Lemay ,  Leeor Peled ,  Jr-Shian Tsai ,  David M. Durham ,  Jeffrey D. Chamberlain ,  Vadim A. Sukhomlinov ,  Eric J. Dahlen ,  Sara Baghsorkhi ,  Harshad Sane ,  Areg Melik-Adamyan ,  Ravi Sahita ,  Dmitry Yurievich Babokin ,  Ian M. Steiner ,  Alexander Bachmutsky ,  Anil Rao ,  Mingwei Zhang ,  Nilesh K. Jain ,  Amin Firoozshahian ,  Baiju V. Patel ,  Wenyong Huang ,  Yeluri Raghuram

IPC: G06F9/50 ,  G06F21/53 ,  G06F9/52 ,  G06F21/60 ,  G06F11/30 ,  G06F11/34

Abstract: Embodiments of systems, apparatuses and methods provide enhanced function as a service (FaaS) to users, e.g., computer developers and cloud service providers (CSPs). A computing system configured to provide such enhanced FaaS service include one or more controls architectural subsystems, software and orchestration subsystems, network and storage subsystems, and security subsystems. The computing system executes functions in response to events triggered by the users in an execution environment provided by the architectural subsystems, which represent an abstraction of execution management and shield the users from the burden of managing the execution. The software and orchestration subsystems allocate computing resources for the function execution by intelligently spinning up and down containers for function code with decreased instantiation latency and increased execution scalability while maintaining secured execution. Furthermore, the computing system enables customers to pay only when their code gets executed with a granular billing down to millisecond increments.

公开(公告)号：US10795997B2

公开(公告)日：2020-10-06

申请号：US15629458

申请日：2017-06-21

Applicant: INTEL CORPORATION

Inventor： Michael Lemay

IPC: G06F21/56 ,  G06F21/55 ,  G06F21/52 ,  G06F21/54

Abstract: Techniques and computing devices for mitigating return-oriented programming (ROP) attacks are described. A hardened stack and an unhardened stack are provided. The hardened stack can include indications of return addresses while the unhardened stack can include all other memory allocations. A stack hardening instruction can be inserted before unhardened instructions (e.g., instructions that are themselves not authorized to access the hardened stack). The stack hardening instruction determines whether the unhardened instruction accessed memory outside the unhardened stack and generates a fault based on the determination. A register can be provided to include an indication of an address span of the unsafe stack. The stack hardening instruction can determine whether the unhardened instruction accessed a memory location outside the address range specified in the register and generate a fault accordingly.

公开(公告)号：US10558582B2

公开(公告)日：2020-02-11

申请号：US14974972

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael Lemay ,  Men Long

IPC: G06F12/00 ,  G06F12/1027 ,  G06F9/30 ,  G06F12/14

Abstract: Technologies for execute only transactional memory include a computing device with a processor and a memory. The processor includes an instruction translation lookaside buffer (iTLB) and a data translation lookaside buffer (dTLB). In response to a page miss, the processor determines whether a page physical address is within an execute only transactional (XOT) range of the memory. If within the XOT range, the processor may populate the iTLB with the page physical address and prevent the dTLB from being populated with the page physical address. In response to an asynchronous change of control flow such as an interrupt, the processor determines whether a last iTLB translation is within the XOT range. If within the XOT range, the processor clears or otherwise secures the processor register state. The processor ensures that an XOT range starts execution at an authorized entry point. Other embodiments are described and claimed.

公开(公告)号：US10152612B2

公开(公告)日：2018-12-11

申请号：US14866211

申请日：2015-09-25

Applicant: INTEL CORPORATION

Inventor： Michael Lemay

IPC: G06F9/32 ,  G06F9/455 ,  H04L9/32 ,  G06F21/72 ,  G06F21/79

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for secure memory page mapping in a virtual machine (VM) environment. The system may include a processor configured to execute a virtual machine monitor (VMM). The VMM may be configured to maintain a table of cryptographic keys and associate a token with one of the memory pages to be mapped from a guest linear address (GLA) to a guest physical address (GPA). The token may include a key identifier (key ID) associated with one of the cryptographic keys, and an authentication code based on the GLA, the GPA, and one of the cryptographic keys. The system may also include a page walk processor configured to validate the token to indicate that the memory page associated with the token is authorized to be mapped from the GLA to the GPA.

公开(公告)号：US10061918B2

公开(公告)日：2018-08-28

申请号：US15088318

申请日：2016-04-01

Applicant: Intel Corporation

Inventor： Salmin Sultana ,  David M. Durham ,  Michael Lemay ,  Karanvir S. Grewal ,  Ravi L. Sahita

IPC: G06F12/14 ,  G06F21/55 ,  G06F17/30 ,  G06F12/1009 ,  G06F21/56 ,  G06F9/455

CPC classification number: G06F21/552 ,  G06F12/1009 ,  G06F12/109 ,  G06F12/145 ,  G06F16/245 ,  G06F21/55 ,  G06F21/56 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/65 ,  G06F2212/657 ,  G06F2221/034

Abstract: In one embodiment, a processor comprises: a first storage including a plurality of entries to store an address of a portion of a memory in which information has been modified; a second storage to store an identifier of a process for which information is to be stored into the first storage; and a first logic to identify a modification to a first portion of the memory and store a first address of the first portion of the memory in a first entry of the first storage, responsive to a determination that a current identifier of a current process corresponds to the identifier stored in the second storage. Other embodiments are described and claimed.

公开(公告)号：US11741018B2

公开(公告)日：2023-08-29

申请号：US17873668

申请日：2022-07-26

Applicant: Intel Corporation

Inventor： David M. Durham ,  Jacob Doweck ,  Michael Lemay ,  Deepak Gupta

IPC: G06F12/10 ,  G06F12/1027

CPC classification number: G06F12/1027 ,  G06F2212/681

Abstract: An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.

公开(公告)号：US11171983B2

公开(公告)日：2021-11-09

申请号：US16024089

申请日：2018-06-29

Applicant: INTEL CORPORATION

Inventor： Vadim Sukhomlinov ,  Kshitij Doshi ,  Michael Lemay ,  Dmitry Babokin ,  Areg Melik-Adamyan

IPC: G06F12/14 ,  H04L29/06 ,  G06F9/455 ,  G06F21/57 ,  G06F21/53 ,  G06F21/62

Abstract: Embodiments are directed toward techniques to detect a first function associated with an address space initiating a call instruction to a second function in the address space, the first function to call the second function in a deprivileged mode of operation, and define accessible address ranges for segments of the address space for the second function, each segment to a have a different address range in the address space where the second function is permitted to access in the deprivileged mode of operation, Embodiments include switching to the stack associated with the second address space and the second function, and initiating execution of the second function in the deprivileged mode of operation.

公开(公告)号：US20210117343A1

公开(公告)日：2021-04-22

申请号：US17133734

申请日：2020-12-24

Applicant: Intel Corporation

Inventor： Michael Lemay ,  David A. Koufaty ,  Ravi L. Sahita

IPC: G06F12/14 ,  G06F21/53 ,  G06F21/56

Abstract: Enforcing memory operand types using protection keys is generally described herein. A processor system to provide sandbox execution support for protection key rights attacks includes a processor core to execute a task associated with an untrusted application and execute the task using a designated page of a memory; and a memory management unit to designate the page of the memory to support execution of the untrusted application.

公开(公告)号：US10769272B2

公开(公告)日：2020-09-08

申请号：US15721553

申请日：2017-09-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Karanvir S. Grewal ,  Sergej Deutsch ,  Michael Lemay

IPC: G06F9/455 ,  G06F21/53 ,  G06F21/57 ,  H04L29/06

Abstract: Systems, apparatuses and methods may provide for technology that associates a key domain of a plurality of key domains with a customer boot image, receives the customer boot image from the customer, and verifies the integrity of the customer boot image that is to be securely installed at memory locations determined from an untrusted privileged entity (e.g., a virtual machine manager).