公开(公告)号：US10223528B2

公开(公告)日：2019-03-05

申请号：US15276895

申请日：2016-09-27

Applicant: Intel Corporation

Inventor： Michael E. Kounavis ,  David M. Durham ,  Ravi L. Sahita ,  Karanvir S. Grewal

IPC: G06F21/00 ,  G06F21/54 ,  G06F21/56

Abstract: Technologies for code flow integrity protection include a static analyzer that identifies a potential gadget in an atomic code path of a protected code. A marker instruction is inserted after the potential gadget with a parameter that corresponds to an address of the marker instruction, a hash evaluator instruction is inserted after an exit point of the atomic code path with a parameter that corresponds to the address of the marker instruction, and a compare evaluator instruction and a hash check instruction are inserted after the hash evaluator instruction. A target computing device executes the protected code and updates a path hash as a function of the parameter of the marker instruction, determines an expected hash value as a function of the parameter of the hash evaluator instruction, and generates an exception if the path hash and the expected hash value do not match. Other embodiments are described and claimed.

公开(公告)号：US20190042402A1

公开(公告)日：2019-02-07

申请号：US15939871

申请日：2018-03-29

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F12/02 ,  H04L9/08

CPC classification number: G06F12/0215 ,  G06F9/45558 ,  G06F12/0207 ,  G06F12/1036 ,  G06F12/1408 ,  G06F12/1475 ,  G06F2009/45587 ,  G06F2212/651 ,  G06F2212/68 ,  H04L9/088 ,  H04L9/0894 ,  H04L9/14

Abstract: In one embodiment, an apparatus includes a page miss handler to receive a full address including a linear address portion having a linear address and a key identifier portion having a key identifier for a key. The page miss handler may insert an entry including this key identifier in a translation storage. The apparatus further may include a remapping table having a plurality of entries each to store information regarding a key identifier. Other embodiments are described and claimed.

公开(公告)号：US20180373895A9

公开(公告)日：2018-12-27

申请号：US15444771

申请日：2017-02-28

Applicant: Intel Corporation

Inventor： David M. Durham ,  Gilbert Neiger ,  Barry E. Huntley ,  Ravi L. Sahita ,  Baiju V. Patel

IPC: G06F21/71 ,  G06F9/455 ,  H04L9/08

Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, can verify correctness of the control structures of guest VMs.

公开(公告)号：US20180247082A1

公开(公告)日：2018-08-30

申请号：US15444771

申请日：2017-02-28

Applicant: Intel Corporation

Inventor： David M. Durham ,  Gilbert Neiger ,  Barry E. Huntley ,  Ravi L. Sahita ,  Baiju V. Patel

IPC: G06F21/71 ,  G06F9/455 ,  H04L9/08

CPC classification number: G06F21/71 ,  G06F8/63 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/57 ,  G06F21/78 ,  G06F2009/45579 ,  G06F2009/45587 ,  G06F2212/402 ,  G06F2221/2149 ,  H04L9/0822

Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, can verify correctness of the control structures of guest VMs.

公开(公告)号：US20180046823A1

公开(公告)日：2018-02-15

申请号：US15293967

申请日：2016-10-14

Applicant: Intel Corporation

Inventor： David M. Durham ,  Ravi L. Sahita ,  Barry E. Huntley ,  Nikhil M. Deshpande

IPC: G06F21/62 ,  G06F21/53 ,  H04L9/08 ,  H04L29/06

CPC classification number: G06F21/6245 ,  G06F21/53 ,  H04L9/08 ,  H04L9/0894 ,  H04L9/3236 ,  H04L63/06

Abstract: A method, system, computer-readable media, and apparatus for ensuring a secure cloud environment is provided, where public cloud services providers can remove their code from the Trusted Computing Base (TCB) of their cloud services consumers. The method for ensuring a secure cloud environment keeps the Virtual Machine Monitor (VMM), devices, firmware and the physical adversary (where a bad administrator/technician attempts to directly access the cloud host hardware) outside of a consumer's Virtual Machine (VM) TCB. Only the consumer that owns this secure VM can modify the VM or access contents of the VM (as determined by the consumer).

公开(公告)号：US09805194B2

公开(公告)日：2017-10-31

申请号：US14671764

申请日：2015-03-27

Applicant: Intel Corporation

Inventor： Michael LeMay ,  David M. Durham ,  Men Long

IPC: G06F11/00 ,  G06F21/56 ,  G06F12/0802 ,  G06F12/1009

CPC classification number: G06F21/567 ,  G06F12/0802 ,  G06F12/1009 ,  G06F21/564

Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes a walker to traverse a paging structure of an address translation system; a bit analyzer to determine whether a bit associated with an entry of the paging structure is indicative of the entry being recently accessed; an address identifier to, when the bit analyzer determines that the bit associated with the entry of the paging structure is indicative of the entry being recently accessed, determine an address associated with the entry; and an outputter to provide the determined address to a memory scanner.

公开(公告)号：US20170286672A1

公开(公告)日：2017-10-05

申请号：US15088318

申请日：2016-04-01

Applicant: Intel Corporation

Inventor： Salmin Sultana ,  David M. Durham ,  Michael Lemay ,  Karanvir S. Grewal ,  Ravi L. Sahita

IPC: G06F21/55 ,  G06F12/10 ,  G06F12/14 ,  G06F9/455 ,  G06F17/30

CPC classification number: G06F21/552 ,  G06F12/1009 ,  G06F12/145 ,  G06F17/30424 ,  G06F21/55 ,  G06F21/56 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2212/1052 ,  G06F2212/65 ,  G06F2221/034

Abstract: In one embodiment, a processor comprises: a first storage including a plurality of entries to store an address of a portion of a memory in which information has been modified; a second storage to store an identifier of a process for which information is to be stored into the first storage; and a first logic to identify a modification to a first portion of the memory and store a first address of the first portion of the memory in a first entry of the first storage, responsive to a determination that a current identifier of a current process corresponds to the identifier stored in the second storage. Other embodiments are described and claimed.

公开(公告)号：US09710675B2

公开(公告)日：2017-07-18

申请号：US14669235

申请日：2015-03-26

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Jungju Oh ,  Men Long ,  Eugene M. Kishinevsky

IPC: G06F21/79 ,  G06F21/71 ,  H04L9/08 ,  G06F12/14 ,  H04L9/32

CPC classification number: G06F21/79 ,  G06F12/1408 ,  G06F21/71 ,  G06F2212/1052 ,  H04L9/0891 ,  H04L9/3242

Abstract: In an embodiment, a processor includes: at least one core to execute instructions; a cache memory coupled to the at least one core to store data; and a tracker cache memory coupled to the at least one core. The tracker cache memory includes entries to store an integrity value associated with a data block to be written to a memory coupled to the processor. Other embodiments are described and claimed.

公开(公告)号：US20170185532A1

公开(公告)日：2017-06-29

申请号：US14998054

申请日：2015-12-24

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Sergej Deutsch ,  Men Long ,  Alpa T. Narendra Trivedi

IPC: G06F12/14 ,  G06F11/10

CPC classification number: G06F11/1004 ,  G06F12/0886 ,  G06F12/1408 ,  G06F21/00 ,  G06F21/79 ,  G06F2212/401 ,  H04L9/0858 ,  H04L9/304

Abstract: Apparatus, systems, and/or methods may provide for identifying unencrypted data including a plurality of bits, wherein the unencrypted data may be encrypted and stored in memory. In addition, a determination may be made as to whether the unencrypted data includes a random distribution of the plurality of bits, for example based on a compressibility function. An integrity action may be implemented when the unencrypted data includes a random distribution of the plurality of bits, which may include error correction including a modification to ciphertext of the unencrypted data. Independently of error correction, a diffuser may generate intermediate and final ciphertext. In addition, a key and/or a tweak may be derived for a location in the memory. Moreover, an integrity value may be generated (e.g., as a copy) from a portion of the unencrypted data, and/or stored in a slot of an integrity check line based on the location.

公开(公告)号：US20160269406A1

公开(公告)日：2016-09-15

申请号：US15154399

申请日：2016-05-13

Applicant: Intel Corporation

Inventor： Michelle H. Chuaprasert ,  David M. Durham ,  Mark D. Boucher ,  Sanjay Bakshi

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0876 ,  G06F21/35 ,  G06Q10/10 ,  G06Q30/02 ,  H04L67/306

Abstract: An embodiment includes a main compute node that detects the physical presence of a first user and subsequently loads a profile for the first user. The main compute node may detect the first user's presence based on detecting a first compute node corresponding to the first user. For example, the main compute node may be a desktop computer that detects the presence of the first user's Smart phone, which is nearby the first user. The main compute node may unload the first user's profile when the main compute node no longer detects the first user's presence. Upon detecting a second user's presence, the main computer may load a profile for the second user. The profile may include cookies and/or other identifiers for the second user. The profile may facilitate the second user's navigation of a computing environment (e.g. web pages). Other embodiments are addressed herein.

Abstract translation: 一个实施例包括主计算节点，其检测第一用户的物理存在并随后加载用于第一用户的简档。 主计算节点可以基于检测对应于第一用户的第一计算节点来检测第一用户的存在。 例如，主计算节点可以是检测在第一用户附近的第一用户的智能电话的存在的台式计算机。 当主计算节点不再检测到第一用户的存在时，主计算节点可以卸载第一用户的简档。 在检测到第二用户的存在时，主计算机可以加载用于第二用户的简档。 该简档可以包括用于第二用户的cookie和/或其他标识符。 该简档可以促进第二用户导航计算环境（例如，网页）。 其他实施例在这里被解决。