公开(公告)号：US20240329844A1

公开(公告)日：2024-10-03

申请号：US18741701

申请日：2024-06-12

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Thomas CHISNALL ,  Hongyan XIA ,  Nathaniel Wesley FILARDO ,  Robert McNeill NORTON-WRIGHT

IPC: G06F3/06 ,  G06F9/38 ,  G06F12/14 ,  G06F21/52

CPC classification number: G06F3/0611 ,  G06F3/0629 ,  G06F3/0673 ,  G06F9/3867 ,  G06F12/145 ,  G06F21/52 ,  G06F2212/1032 ,  G06F2212/1052

Abstract: A hardware revocation engine for invalidating a pointer, that refers to a deallocated object, from memory in a memory constrained system. The hardware revocation engine has a revocation pipeline coupled to a pipeline of a main processor of the memory constrained system. The revocation pipeline shares access to memory with the main pipeline, the revocation pipeline comprising at least a first stage and a subsequent second stage. In a first cycle of the revocation pipeline, the first stage of the revocation pipeline loads a first pointer-sized value from the memory. In a second cycle: the second stage checks whether the first loaded pointer-sized value is a pointer referring to deallocated memory. In a third cycle: in response to the outcome of the check indicating that the first loaded pointer-sized value is a pointer referring to deallocated memory, the first stage invalidates the first pointer-sized value.

公开(公告)号：US20230393746A1

公开(公告)日：2023-12-07

申请号：US17934355

申请日：2022-09-22

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Thomas CHISNALL ,  Hongyan XIA ,  Nathaniel Wesley FILARDO ,  Robert McNeill NORTON-WRIGHT

IPC: G06F3/06

CPC classification number: G06F3/0611 ,  G06F3/0629 ,  G06F3/0673

Abstract: A hardware revocation engine for invalidating a pointer, that refers to a deallocated object, from memory in a memory constrained system. The hardware revocation engine has a revocation pipeline coupled to a pipeline of a main processor of the memory constrained system. The revocation pipeline shares access to memory with the main pipeline, the revocation pipeline comprising at least a first stage and a subsequent second stage. In a first cycle of the revocation pipeline, the first stage of the revocation pipeline loads a first pointer-sized value from the memory. In a second cycle: the second stage checks whether the first loaded pointer-sized value is a pointer referring to deallocated memory. In a third cycle: in response to the outcome of the check indicating that the first loaded pointer-sized value is a pointer referring to deallocated memory, the first stage invalidates the first pointer-sized value.

公开(公告)号：US20230029331A1

公开(公告)日：2023-01-26

申请号：US17385765

申请日：2021-07-26

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Thomas CHISNALL ,  Nathaniel Wesley FILARDO ,  Robert McNeill NORTON-WRIGHT

IPC: G06F12/02

Abstract: In examples there is a computing device comprising a processor, the processor having a memory management unit. The computing device also has a memory that stores instructions that, when executed by the processor, cause the memory management unit to receive a memory access instruction comprising a virtual memory address; translate the virtual memory address to a physical memory address of the memory, and obtain permission information associated with the physical memory address. Responsive to the permission information indicating that metadata is permitted to be associated with the physical memory address, a check is made of a metadata summary table stored in the physical memory to check whether metadata is compatible with the physical memory address. Responsive to the check being unsuccessful, a trap is sent to system software of the computing device in order to trigger dynamic allocation of physical memory for storing metadata associated with the physical memory address.

公开(公告)号：US20240411598A1

公开(公告)日：2024-12-12

申请号：US18812979

申请日：2024-08-22

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Thomas CHISNALL ,  Matthew John PARKINSON ,  Sylvan Wesley CLEBSCH ,  Roy SCHUSTER

IPC: G06F9/50 ,  G06F9/355 ,  G06F9/455 ,  G06F9/54 ,  G06F21/57

Abstract: A method of memory deallocation across a trust boundary between a first software component and a second software component is described. Some memory is shared between the first and second software components. An in-memory message passing facility is implemented using the shared memory. The first software component is used to deallocate memory from the shared memory which has been allocated by the second software component. The deallocation is done by: taking at least one allocation to be freed from the message passing facility; and freeing the at least one allocation using a local deallocation mechanism while validating that memory access to memory owned by data structures related to memory allocation within the shared memory are within the shared memory.

公开(公告)号：US20240160795A1

公开(公告)日：2024-05-16

申请号：US18419359

申请日：2024-01-22

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stavros VOLOS ,  David Thomas CHISNALL ,  Saurabh Mohan KULKARNI ,  Kapil VASWANI ,  Manuel COSTA ,  Samuel Alexander WEBSTER ,  Cédric Alain Marie FOURNET ,  Richard OSBORNE ,  Daniel John Pelham WILKINSON ,  Graham Bernard CUNNINGHAM

IPC: G06F21/85 ,  G06F21/60 ,  H04L9/30 ,  H04L9/32

CPC classification number: G06F21/85 ,  G06F21/602 ,  H04L9/30 ,  H04L9/3265

Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

公开(公告)号：US20230168933A1

公开(公告)日：2023-06-01

申请号：US18162704

申请日：2023-01-31

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Thomas CHISNALL ,  Matthew John PARKINSON ,  Sylvan Wesley CLEBSCH ,  Roy SCHUSTER

IPC: G06F9/50 ,  G06F9/355 ,  G06F9/455 ,  G06F21/57 ,  G06F9/54

CPC classification number: G06F9/5016 ,  G06F9/355 ,  G06F9/45533 ,  G06F21/572 ,  G06F9/546 ,  G06F9/54 ,  G06F9/5005 ,  G06F9/455 ,  G06F9/5022 ,  G06F9/544 ,  G06F9/45558 ,  G06F9/50 ,  G06F2009/45583 ,  G06F2009/45587

Abstract: A method of memory deallocation across a trust boundary between a first software component and a second software component is described. Some memory is shared between the first and second software components. An in-memory message passing facility is implemented using the shared memory. The first software component is used to deallocate memory from the shared memory which has been allocated by the second software component. The deallocation is done by: taking at least one allocation to be freed from the message passing facility; and freeing the at least one allocation using a local deallocation mechanism while validating that memory access to memory owned by data structures related to memory allocation within the shared memory are within the shared memory.

公开(公告)号：US20210342492A1

公开(公告)日：2021-11-04

申请号：US17374942

申请日：2021-07-13

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stavros VOLOS ,  David Thomas CHISNALL ,  Saurabh Mohan KULKARNI ,  Kapil VASWANI ,  Manuel COSTA ,  Samuel Alexander WEBSTER ,  Cédric Alain Marie FOURNET ,  Richard OSBORNE ,  Daniel John Pelham WILKINSON ,  Graham Bernard CUNNINGHAM

IPC: G06F21/85 ,  G06F21/60 ,  H04L9/30 ,  H04L9/32

Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

公开(公告)号：US20210004469A1

公开(公告)日：2021-01-07

申请号：US16503455

申请日：2019-07-03

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Thomas CHISNALL ,  Cédric Alain Marie FOURNET ,  Manuel COSTA ,  Samuel Alexander WEBSTER ,  Sylvan CLEBSCH ,  Kapil VASWANI

IPC: G06F21/57 ,  H04L29/06 ,  G06F9/455

Abstract: A computer system has a separation mechanism which enforces separation between at least two execution environments such that one execution environment is a gatekeeper which interposes on all communications of the other execution environment. The computer system has an attestation mechanism which enables the gatekeeper to attest to properties of the at least two execution environments. A first one of the execution environments runs application specific code which may contain security vulnerabilities. The gatekeeper is configured to enforce an input output policy on the first execution environment by interposing on all communication to and from the first execution environment by forwarding, modifying or dropping individual ones of the communications according to the policy. The gatekeeper provides evidence of attestation both for the application specific code and the policy.

公开(公告)号：US20210004271A1

公开(公告)日：2021-01-07

申请号：US16503449

申请日：2019-07-03

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Thomas CHISNALL ,  Matthew John PARKINSON ,  Sylvan Wesley CLEBSCH ,  Roy SCHUSTER

IPC: G06F9/50 ,  G06F9/355 ,  G06F9/455 ,  G06F21/57

Abstract: A method of memory deallocation across a trust boundary between a first software component and a second software component is described. Some memory is shared between the first and second software components. An in-memory message passing facility is implemented using the shared memory. The first software component is used to deallocate memory from the shared memory which has been allocated by the second software component. The deallocation is done by: taking at least one allocation to be freed from the message passing facility; and freeing the at least one allocation using a local deallocation mechanism while validating that memory access to memory owned by data structures related to memory allocation within the shared memory are within the shared memory.