公开(公告)号：US10324863B2

公开(公告)日：2019-06-18

申请号：US14127561

申请日：2013-06-24

Applicant: Intel Corporation

Inventor： Michael Lemay ,  David M. Durham ,  Ravi L. Sahita ,  Andrew V. Anderson

IPC: G06F12/00 ,  G06F12/14 ,  G06F12/1009 ,  G06F9/455 ,  G06F21/70 ,  G06F21/79 ,  G06F9/30

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a protected memory view in a virtual machine (VM) environment enabling nested page table access by trusted guest software outside of VMX root mode. The system may include an editor module configured to provide access to a nested page table structure, by operating system (OS) kernel components and by user space applications within a guest of the VM, wherein the nested page table structure is associated with one of the protected memory views. The system may also include a page handling processor configured to secure that access by maintaining security information in the nested page table structure.

公开(公告)号：US10235301B2

公开(公告)日：2019-03-19

申请号：US15652028

申请日：2017-07-17

Applicant: INTEL CORPORATION

Inventor： Michael Lemay ,  David M. Durham ,  Andrew V. Anderson ,  Gilbert Neiger ,  Ravi L. Sahita

IPC: G06F9/455 ,  G06F12/1009 ,  G06F12/1027 ,  G06F12/14 ,  G06F21/00 ,  G06F21/53

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.

公开(公告)号：US09954950B2

公开(公告)日：2018-04-24

申请号：US14757733

申请日：2015-12-23

Applicant: Intel Corporation

Inventor： Michael Lemay ,  Scott Robinson

IPC: G06F21/00 ,  H04L29/08 ,  G06F21/62

CPC classification number: H04L67/1097 ,  G06F21/6245

Abstract: Solutions for controlling data exposure among computing entities are described. A data transfer agent (DTA) module includes a data payload portion to store information content conditionally transferable to at least one other DTA module, and a code portion containing instructions that operationally implement: a DTA connectivity link to the at least one other DTA module; an attestation module to obtain, via the DTA connectivity link, attestation from each of the at least one other DTA module indicating a data output connectivity configuration of that other DTA module; and a decision module to determine a degree of permissible interaction with each of the at least one other DTA module based the attestation and on decision criteria.

公开(公告)号：US09817976B2

公开(公告)日：2017-11-14

申请号：US14757945

申请日：2015-12-24

Applicant: INTEL CORPORATION

Inventor： Michael Lemay ,  David M. Durham

IPC: G06F12/14 ,  G06F21/56 ,  H04L29/06

CPC classification number: G06F21/566 ,  G06F21/567 ,  G06F2221/032 ,  H04L63/1416 ,  H04L63/145

Abstract: Various embodiments are generally directed to techniques for detecting malware in a manner that mitigates the consumption of processing and/or storage resources of a processing device. An apparatus may include a first processor component of a processing device to generate entries in a chronological order within a first page modification log maintained within a first storage divided into multiple pages, each entry to indicate a write access made by the first processor component to a page of the multiple pages; a retrieval component of a graphics controller of the processing device to recurringly retrieve indications from the first page modification log of at least one recently written page of the multiple pages; and a scan component of the graphics controller to recurringly scan the at least one recently written page to detect malware within the at least one recently written page.

公开(公告)号：US09335943B2

公开(公告)日：2016-05-10

申请号：US14320334

申请日：2014-06-30

Applicant: Intel Corporation

Inventor： Ravi L. Sahita ,  Vedvyas Shanbhogue ,  Gilbert Neiger ,  Jonathan Edwards ,  Ido Ouziel ,  Barry E. Huntley ,  Stanislav Shwartsman ,  David M. Durham ,  Andrew V. Anderson ,  Michael Lemay

IPC: G06F21/00 ,  G06F3/06 ,  G06F12/10 ,  G06F9/455

CPC classification number: G06F9/45558 ,  G06F9/3004 ,  G06F9/30076 ,  G06F12/1009 ,  G06F2009/45583 ,  G06F2212/657

Abstract: An apparatus and method for fine grain memory protection. For example, one embodiment of a method comprises: performing a first lookup operation using a virtual address to identify a physical address of a memory page, the memory page comprising a plurality of sub-pages; determining whether sub-page permissions are enabled for the memory page; if sub-page permissions are enabled, then performing a second lookup operation to determine permissions associated with one or more of the sub-pages of the memory page; and implementing the permissions associated with the one or more sub-pages.

Abstract translation: 一种细粒度记忆保护装置和方法。 例如，方法的一个实施例包括：使用虚拟地址执行第一查找操作以识别存储器页面的物理地址，所述存储器页面包括多个子页面; 确定是否为所述存储器页启用子页面许可; 如果启用子页面许可，则执行第二查找操作以确定与存储器页面的一个或多个子页面相关联的许可; 以及实现与一个或多个子页面相关联的许可。

公开(公告)号：US12045174B2

公开(公告)日：2024-07-23

申请号：US17704771

申请日：2022-03-25

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael Lemay

IPC: G06F12/14 ,  G06F9/30

CPC classification number: G06F12/1408 ,  G06F9/30043 ,  G06F12/1441 ,  G06F12/1458

Abstract: Embodiments are directed to tagless implicit integrity with multi-perspective pattern search for memory safety. An embodiment of an apparatus includes one or more processors comprising hardware circuitry to: access encrypted data stored in a memory hierarchy using a pointer; decrypt the encrypted data using a current version of a pointer tag of the pointer to yield first decrypted data; perform an entropy test on the first decrypted data; responsive to the entropy test failing to detect patterns in the first decrypted data, re-decrypt the encrypted data using one or more different versions of the pointer tag of the pointer to yield one or more other decrypted data; perform the entropy test on the one or more other decrypted versions; and responsive to the entropy test detecting the patterns in the one or more other decrypted data, signal an exception to the one or more processors with respect to the encrypted data.

公开(公告)号：US11630920B2

公开(公告)日：2023-04-18

申请号：US16024257

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael Lemay ,  Siddhartha Chhabra ,  Kai Cong

IPC: G06F21/72 ,  G06F21/73 ,  G06F21/64 ,  G06F21/53 ,  G06F12/0895 ,  H04L9/06 ,  H04L9/00 ,  H04L9/32 ,  G06F21/75

Abstract: A system may use memory tagging for side-channel defense, memory safety, and sandboxing to reduce the likelihood of successful attacks. The system may include memory tagging circuitry to address existing and potential hardware and software architectures security vulnerabilities. The memory tagging circuitry may prevent memory pointers from being overwritten, prevent memory pointer manipulation (e.g., by adding values), and increase the granularity of memory tagging to include byte-level tagging in cache. The memory tagging circuitry may sandbox untrusted code by tagging portions of memory to indicate when the tagged portions of memory include contain a protected pointer. The memory tagging circuitry provides security features while enabling CPUs to continue using and benefiting from speculatively performing operations. By co-locating all tagging information at a cacheline granularity with its associated data, the processor has all the information needed to perform access control decisions immediately and non-speculatively, while maintaining high performance and cache coherency.

公开(公告)号：US20230112707A1

公开(公告)日：2023-04-13

申请号：US18074232

申请日：2022-12-02

Applicant: Intel Corporation

Inventor： Michael Lemay ,  David A. Koufaty ,  Ravi L. Sahita

IPC: G06F12/14 ,  G06F21/53 ,  G06F21/56

Abstract: Enforcing memory operand types using protection keys is generally described herein. A processor system to provide sandbox execution support for protection key rights attacks includes a processor core to execute a task associated with an untrusted application and execute the task using a designated page of a memory; and a memory management unit to designate the page of the memory to support execution of the untrusted application.

公开(公告)号：US11144479B2

公开(公告)日：2021-10-12

申请号：US16686379

申请日：2019-11-18

Applicant: Intel Corporation

Inventor： Ravi L. Sahita ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  David M. Durham ,  Andrew V. Anderson ,  David A. Koufaty ,  Asit K. Mallick ,  Arumugam Thiyagarajah ,  Barry E. Huntley ,  Deepak K. Gupta ,  Michael Lemay ,  Joseph F. Cihula ,  Baiju V. Patel

IPC: G06F12/00 ,  G06F12/14 ,  G06F12/1009 ,  G06F12/1027 ,  G06F9/455 ,  G06F21/78

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US11030113B1

公开(公告)日：2021-06-08

申请号：US16728928

申请日：2019-12-27

Applicant: Intel Corporation

Inventor： David M. Durham ,  Jacob Doweck ,  Michael Lemay ,  Deepak Gupta

IPC: G06F12/10 ,  G06F12/1027

Abstract: An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.