公开(公告)号：US20180373895A9

公开(公告)日：2018-12-27

申请号：US15444771

申请日：2017-02-28

Applicant: Intel Corporation

Inventor： David M. Durham ,  Gilbert Neiger ,  Barry E. Huntley ,  Ravi L. Sahita ,  Baiju V. Patel

IPC: G06F21/71 ,  G06F9/455 ,  H04L9/08

Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, can verify correctness of the control structures of guest VMs.

公开(公告)号：US20180247082A1

公开(公告)日：2018-08-30

申请号：US15444771

申请日：2017-02-28

Applicant: Intel Corporation

Inventor： David M. Durham ,  Gilbert Neiger ,  Barry E. Huntley ,  Ravi L. Sahita ,  Baiju V. Patel

IPC: G06F21/71 ,  G06F9/455 ,  H04L9/08

CPC classification number: G06F21/71 ,  G06F8/63 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/57 ,  G06F21/78 ,  G06F2009/45579 ,  G06F2009/45587 ,  G06F2212/402 ,  G06F2221/2149 ,  H04L9/0822

Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, can verify correctness of the control structures of guest VMs.

公开(公告)号：US20180046823A1

公开(公告)日：2018-02-15

申请号：US15293967

申请日：2016-10-14

Applicant: Intel Corporation

Inventor： David M. Durham ,  Ravi L. Sahita ,  Barry E. Huntley ,  Nikhil M. Deshpande

IPC: G06F21/62 ,  G06F21/53 ,  H04L9/08 ,  H04L29/06

CPC classification number: G06F21/6245 ,  G06F21/53 ,  H04L9/08 ,  H04L9/0894 ,  H04L9/3236 ,  H04L63/06

Abstract: A method, system, computer-readable media, and apparatus for ensuring a secure cloud environment is provided, where public cloud services providers can remove their code from the Trusted Computing Base (TCB) of their cloud services consumers. The method for ensuring a secure cloud environment keeps the Virtual Machine Monitor (VMM), devices, firmware and the physical adversary (where a bad administrator/technician attempts to directly access the cloud host hardware) outside of a consumer's Virtual Machine (VM) TCB. Only the consumer that owns this secure VM can modify the VM or access contents of the VM (as determined by the consumer).

公开(公告)号：US09805194B2

公开(公告)日：2017-10-31

申请号：US14671764

申请日：2015-03-27

Applicant: Intel Corporation

Inventor： Michael LeMay ,  David M. Durham ,  Men Long

IPC: G06F11/00 ,  G06F21/56 ,  G06F12/0802 ,  G06F12/1009

CPC classification number: G06F21/567 ,  G06F12/0802 ,  G06F12/1009 ,  G06F21/564

Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes a walker to traverse a paging structure of an address translation system; a bit analyzer to determine whether a bit associated with an entry of the paging structure is indicative of the entry being recently accessed; an address identifier to, when the bit analyzer determines that the bit associated with the entry of the paging structure is indicative of the entry being recently accessed, determine an address associated with the entry; and an outputter to provide the determined address to a memory scanner.

公开(公告)号：US20170286672A1

公开(公告)日：2017-10-05

申请号：US15088318

申请日：2016-04-01

Applicant: Intel Corporation

Inventor： Salmin Sultana ,  David M. Durham ,  Michael Lemay ,  Karanvir S. Grewal ,  Ravi L. Sahita

IPC: G06F21/55 ,  G06F12/10 ,  G06F12/14 ,  G06F9/455 ,  G06F17/30

CPC classification number: G06F21/552 ,  G06F12/1009 ,  G06F12/145 ,  G06F17/30424 ,  G06F21/55 ,  G06F21/56 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2212/1052 ,  G06F2212/65 ,  G06F2221/034

Abstract: In one embodiment, a processor comprises: a first storage including a plurality of entries to store an address of a portion of a memory in which information has been modified; a second storage to store an identifier of a process for which information is to be stored into the first storage; and a first logic to identify a modification to a first portion of the memory and store a first address of the first portion of the memory in a first entry of the first storage, responsive to a determination that a current identifier of a current process corresponds to the identifier stored in the second storage. Other embodiments are described and claimed.

公开(公告)号：US09710675B2

公开(公告)日：2017-07-18

申请号：US14669235

申请日：2015-03-26

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Jungju Oh ,  Men Long ,  Eugene M. Kishinevsky

IPC: G06F21/79 ,  G06F21/71 ,  H04L9/08 ,  G06F12/14 ,  H04L9/32

CPC classification number: G06F21/79 ,  G06F12/1408 ,  G06F21/71 ,  G06F2212/1052 ,  H04L9/0891 ,  H04L9/3242

Abstract: In an embodiment, a processor includes: at least one core to execute instructions; a cache memory coupled to the at least one core to store data; and a tracker cache memory coupled to the at least one core. The tracker cache memory includes entries to store an integrity value associated with a data block to be written to a memory coupled to the processor. Other embodiments are described and claimed.

公开(公告)号：US20170185532A1

公开(公告)日：2017-06-29

申请号：US14998054

申请日：2015-12-24

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Sergej Deutsch ,  Men Long ,  Alpa T. Narendra Trivedi

IPC: G06F12/14 ,  G06F11/10

CPC classification number: G06F11/1004 ,  G06F12/0886 ,  G06F12/1408 ,  G06F21/00 ,  G06F21/79 ,  G06F2212/401 ,  H04L9/0858 ,  H04L9/304

Abstract: Apparatus, systems, and/or methods may provide for identifying unencrypted data including a plurality of bits, wherein the unencrypted data may be encrypted and stored in memory. In addition, a determination may be made as to whether the unencrypted data includes a random distribution of the plurality of bits, for example based on a compressibility function. An integrity action may be implemented when the unencrypted data includes a random distribution of the plurality of bits, which may include error correction including a modification to ciphertext of the unencrypted data. Independently of error correction, a diffuser may generate intermediate and final ciphertext. In addition, a key and/or a tweak may be derived for a location in the memory. Moreover, an integrity value may be generated (e.g., as a copy) from a portion of the unencrypted data, and/or stored in a slot of an integrity check line based on the location.

公开(公告)号：US20160269406A1

公开(公告)日：2016-09-15

申请号：US15154399

申请日：2016-05-13

Applicant: Intel Corporation

Inventor： Michelle H. Chuaprasert ,  David M. Durham ,  Mark D. Boucher ,  Sanjay Bakshi

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0876 ,  G06F21/35 ,  G06Q10/10 ,  G06Q30/02 ,  H04L67/306

Abstract: An embodiment includes a main compute node that detects the physical presence of a first user and subsequently loads a profile for the first user. The main compute node may detect the first user's presence based on detecting a first compute node corresponding to the first user. For example, the main compute node may be a desktop computer that detects the presence of the first user's Smart phone, which is nearby the first user. The main compute node may unload the first user's profile when the main compute node no longer detects the first user's presence. Upon detecting a second user's presence, the main computer may load a profile for the second user. The profile may include cookies and/or other identifiers for the second user. The profile may facilitate the second user's navigation of a computing environment (e.g. web pages). Other embodiments are addressed herein.

Abstract translation: 一个实施例包括主计算节点，其检测第一用户的物理存在并随后加载用于第一用户的简档。 主计算节点可以基于检测对应于第一用户的第一计算节点来检测第一用户的存在。 例如，主计算节点可以是检测在第一用户附近的第一用户的智能电话的存在的台式计算机。 当主计算节点不再检测到第一用户的存在时，主计算节点可以卸载第一用户的简档。 在检测到第二用户的存在时，主计算机可以加载用于第二用户的简档。 该简档可以包括用于第二用户的cookie和/或其他标识符。 该简档可以促进第二用户导航计算环境（例如，网页）。 其他实施例在这里被解决。

公开(公告)号：US09361471B2

公开(公告)日：2016-06-07

申请号：US14557079

申请日：2014-12-01

Applicant: Intel Corporation

Inventor： David M. Durham ,  Hormuzd M. Khosravi ,  Uri Blumenthal ,  Men Long

IPC: H04L9/32 ,  G06F21/00 ,  G06F21/62 ,  G06F12/14 ,  G06F21/53 ,  G06F21/52

CPC classification number: G06F21/6209 ,  G06F12/1408 ,  G06F12/1466 ,  G06F12/1475 ,  G06F21/52 ,  G06F21/53

Abstract: Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed.

Abstract translation: 这里一般地描述用于执行环境中的软件组件的安全保险库服务的装置，物品，方法和系统的实施例。 一个实施例包括虚拟机监视器，操作系统监视器或其他底层平台功能的能力，以限制存储器区域，以便仅通过特定认证的，授权的和已验证的软件组件进行访问，即使在其他受损的操作系统环境的一部分。 代表被保护的内存区域中提供的经过身份验证/授权/验证的软件组件的锁定和解锁秘密的底层平台只能由经过身份验证/授权/验证的软件组件访问。 可以描述和要求保护其他实施例。

公开(公告)号：US09275225B2

公开(公告)日：2016-03-01

申请号：US13838091

申请日：2013-03-15

Applicant: INTEL CORPORATION

Inventor： Rekha N. Bachwani ,  Ravi L. Sahita ,  David M. Durham

IPC: G06F21/00 ,  G06F21/56 ,  G06F21/55

CPC classification number: G06F21/56 ,  G06F9/45558 ,  G06F21/554 ,  G06F21/563 ,  G06F21/566 ,  G06F2009/45583 ,  G06F2009/45587

Abstract: Technologies for securing an electronic device include determining addresses of one or more memory pages, injecting for each memory page a portion of identifier data into the memory page, storing an indication of the identifier data injected into each of the memory pages, determining an attempt to access at least one of the memory pages, determining any of the identifier data present on a memory page associated with the attempt, comparing the indication of the identifier data with the determined identifier data present on the memory page, and, based on the comparison, determining whether to allow the access.

Abstract translation: 用于确保电子设备的技术包括确定一个或多个存储器页面的地址，将每个存储器页面的一部分标识符数据注入存储器页面，存储注入到每个存储器页面中的标识符数据的指示， 访问存储器页面中的至少一个，确定存在于与尝试相关联的存储器页面上的任何标识符数据，将标识符数据的指示与存储在页面上的确定的标识符数据进行比较，并且基于该比较， 确定是否允许访问。