公开(公告)号：US10860709B2

公开(公告)日：2020-12-08

申请号：US16024547

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Michael Lemay ,  David M. Durham ,  Michael E. Kounavis ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Jason W. Brandt ,  Josh Triplett ,  Gilbert Neiger ,  Karanvir Grewal ,  Baiju V. Patel ,  Ye Zhuang ,  Jr-Shian Tsai ,  Vadim Sukhomlinov ,  Ravi Sahita ,  Mingwei Zhang ,  James C. Farwell ,  Amitabh Das ,  Krishna Bhuyan

IPC: G06F21/53 ,  G06F12/02

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

公开(公告)号：US11562063B2

公开(公告)日：2023-01-24

申请号：US17114246

申请日：2020-12-07

Applicant: INTEL CORPORATION

Inventor： Michael Lemay ,  David M. Durham ,  Michael E. Kounavis ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Jason W. Brandt ,  Josh Triplett ,  Gilbert Neiger ,  Karanvir Grewal ,  Baiju Patel ,  Ye Zhuang ,  Jr-Shian Tsai ,  Vadim Sukhomlinov ,  Ravi Sahita ,  Mingwei Zhang ,  James C. Farwell ,  Amitabh Das ,  Krishna Bhuyan

IPC: G06F21/53 ,  G06F12/02

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

公开(公告)号：US20190050558A1

公开(公告)日：2019-02-14

申请号：US16040193

申请日：2018-07-19

Applicant: Intel Corporation

Inventor： Michael LeMay ,  Ye Zhuang

IPC: G06F21/53 ,  G06F21/62 ,  G06F8/41 ,  G06F8/70 ,  G06F12/14

Abstract: The disclosed embodiments relate to system, method and apparatus to compartmentalize information in a program so as to protect against malware. In one embodiment, the disclosed provides a compiler that is enhanced to automatically define multiple compartments within a program based on the data sets that they access. The disclosed embodiments may be implemented at a compiler and certain embodiments may be referred to as compartmentalizing compiler. For each data set, an exemplary compartmentalizing compiler separates program elements that need direct access to the data set from those that do not and it defines a boundary around the data set and the program elements that need to access it. In certain embodiments, other portions of the program may still need to invoke the compartment. Thus, the disclosure also generates interface routines to copy data back and forth through the compartment boundary.

公开(公告)号：US11188639B2

公开(公告)日：2021-11-30

申请号：US16040193

申请日：2018-07-19

Applicant: Intel Corporation

Inventor： Michael LeMay ,  Ye Zhuang

IPC: G06F21/53 ,  G06F21/62 ,  G06F12/14 ,  G06F8/70 ,  G06F8/41 ,  G06F21/54

Abstract: The disclosed embodiments relate to system, method and apparatus to compartmentalize information in a program so as to protect against malware. In one embodiment, the disclosed provides a compiler that is enhanced to automatically define multiple compartments within a program based on the data sets that they access. The disclosed embodiments may be implemented at a compiler and certain embodiments may be referred to as compartmentalizing compiler. For each data set, an exemplary compartmentalizing compiler separates program elements that need direct access to the data set from those that do not and it defines a boundary around the data set and the program elements that need to access it. In certain embodiments, other portions of the program may still need to invoke the compartment. Thus, the disclosure also generates interface routines to copy data back and forth through the compartment boundary.