Abstract: A processor cache is logically partitioned into a main partition, located in the cache itself, and an enclave partition, located within an enclave, that is, a hardware-enforced protected region of an address space of a memory. This extends the secure address space usable by and for an application such as a software cryptoprocessor that is to execute only in secure regions of cache or memory.

Abstract: A system and method of operation exploit the limited associativity of a single cache set to force observable cache evictions and discover conflicts. Loads are issued to input memory addresses, one at a time, until a cache eviction is detected. After observing a cache eviction on a load from an address, that address is added to a data structure representing the current conflict set. The cache is then flushed, and loads are issued to all addresses in the current conflict set, so that all known conflicting addresses are accessed first, ensuring that the next cache miss will occur on a different conflicting address. The process is repeated, issuing loads from all input memory addresses, incrementally finding conflicting addresses, one by one. Memory addresses that conflict in the cache belong to the same partition, whereas memory addresses belonging to different partitions do not conflict.

Abstract: A method and tangible medium embodying code for allocating resource units of an allocatable resource among a plurality of clients in a computer is described. In the method, resource units are initially distributed among the clients by assigning to each of the clients a nominal share of the allocatable resource. For each client, a current allocation of resource units is determined. A metric is evaluated for each client, the metric being a function both of the nominal share and a usage-based factor, the usage-based factor being a function of a measure of resource units that the client is actively using and a measure of resource units that the client is not actively using. A resource unit can be reclaimed from a client when the metric for that client meets a predetermined criterion.

Abstract: An application such as a virtual machine are executed securely using a software-based, full-system emulator within a hardware-protected enclave, such as an SGX enclave. The emulator may thereby be secure even against a malicious underlying host operating system. In some cases, paging is used to allow even a large application may run within a small enclave using paging. Where the application itself uses enclaves, these guest enclaves may themselves be emulated within an emulator enclave such that the guest enclave(s) are nested as sibling enclaves by the emulator.

Abstract: A method and tangible medium embodying code for allocating resource units of an allocatable resource among a plurality of clients in a computer is described. In the method, resource units are initially distributed among the clients by assigning to each of the clients a nominal share of the allocatable resource. For each client, a current allocation of resource units is determined. A metric is evaluated for each client, the metric being a function both of the nominal share and a usage-based factor, the usage-based factor being a function of a measure of resource units that the client is actively using and a measure of resource units that the client is not actively using. A resource unit can be reclaimed from a client when the metric for that client meets a predetermined criterion.

Abstract: To generate a checkpoint for a virtual machine (VM), first, while the VM is still running, a copy-on-write (COW) disk file is created pointing to a parent disk file that the VM is using. Next, the VM is stopped, the VM's memory is marked COW, the device state of the VM is saved to memory, the VM is switched to use the COW disk file, and the VM begins running again for substantially the remainder of the checkpoint generation. Next, the device state that was stored in memory and the unmodified VM memory pages are saved to a checkpoint file. Also, a copy may be made of the parent disk file for retention as part of the checkpoint, or the original parent disk file may be retained as part of the checkpoint. If a copy of the parent disk file was made, then the COW disk file may be committed to the original parent disk file.

Abstract: A virtual-machine-based system that may protect the privacy and integrity of application data, even in the event of a total operating system compromise. An application is presented with a normal view of its resources, but the operating system is presented with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Different views of “physical” memory are presented, depending on a context performing the access. An additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processors is provided.

Abstract: A virtual-machine-based system that may protect the privacy and integrity of application data, even in the event of a total operating system compromise. An application is presented with a normal view of its resources, but the operating system is presented with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Different views of “physical” memory are presented, depending on a context performing the access. An additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processors is provided.

Abstract: Methods and systems for securing sensitive data from security risks associated with direct memory access (“DMA”) by input/output (“I/O”) devices are provided. An enhanced software cryptoprocessor system secures sensitive data using various techniques, including (1) protecting sensitive data by preventing DMA by an I/O device to the portion of the cache that stores the sensitive data, (2) protecting device data by preventing cross-device access to device data using DMA isolation, and (3) protecting the cache by preventing the pessimistic eviction of cache lines on DMA writes to main memory.

Abstract: To generate a checkpoint for a virtual machine (VM), first, while the VM is still running, a copy-on-write (COW) disk file is created pointing to a parent disk file that the VM is using. Next, the VM is stopped, the VM's memory is marked COW, the device state of the VM is saved to memory, the VM is switched to use the COW disk file, and the VM begins running again for substantially the remainder of the checkpoint generation. Next, the device state that was stored in memory and the unmodified VM memory pages are saved to a checkpoint file. Also, a copy may be made of the parent disk file for retention as part of the checkpoint, or the original parent disk file may be retained as part of the checkpoint. If a copy of the parent disk file was made, then the COW disk file may be committed to the original parent disk file.

Abstract: Techniques for implicit coscheduling of CPUs to improve corun performance of scheduled contexts are described. One technique minimizes skew by implementing corun migrations, and another technique minimizes skew by implementing a corun bonus mechanism. Skew between schedulable contexts may be calculated based on guest progress, where guest progress represents time spent executing guest operating system and guest application code. A non-linear skew catch-up algorithm is described that adjusts the progress of a context when the progress falls far behind its sibling contexts.

Abstract: A system and method of operation exploit the limited associativity of a single cache set to force observable cache evictions and discover conflicts. Loads are issued to input memory addresses, one at a time, until a cache eviction is detected. After observing a cache eviction on a load from an address, that address is added to a data structure representing the current conflict set. The cache is then flushed, and loads are issued to all addresses in the current conflict set, so that all known conflicting addresses are accessed first, ensuring that the next cache miss will occur on a different conflicting address. The process is repeated, issuing loads from all input memory addresses, incrementally finding conflicting addresses, one by one. Memory addresses that conflict in the cache belong to the same partition, whereas memory addresses belonging to different partitions do not conflict.

Abstract: A virtual-machine-based system that may protect the privacy and integrity of application data, even in the event of a total operating system compromise. An application is presented with a normal view of its resources, but the operating system is presented with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Different views of “physical” memory are presented, depending on a context performing the access. An additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processors is provided.

Abstract: A virtual-machine-based system provides a mechanism to implement application file I/O operations of protected data by implementing the I/O operations semantics in a shim layer with memory-mapped regions. The semantics of these I/O operations are emulated in a shim layer with memory-mapped regions by using a mapping between a process' address space and a file or shared memory object. Data that is protected from viewing by a guest OS running in a virtual machine may nonetheless be accessed by the process.

Abstract: The configuration of a cache is adjusted within a computer system that includes at least one entity that submits a stream of references, each reference corresponding to a location identifier corresponding to data storage locations in a storage system. The reference stream is spatially sampled using reference hashing. Cache utility values are determined for each of a plurality of caching simulations and an optimal configuration is selected based on the results of the simulations.

Abstract: Security of information—both code and data—stored in a computer's system memory is provided by an agent loaded into and at run time resident in a CPU cache. Memory writes from the CPU are encrypted by the agent before writing and reads into the CPU are decrypted by the agent before they reach the CPU. The cache-resident agent also optionally validates the encrypted information stored in the system memory. Support for I/O devices and cache protection from unsafe DMA of the cache by devices is also provided.

Abstract: Techniques for implicit coscheduling of CPUs to improve corun performance of scheduled contexts are described. One technique minimizes skew by implementing corun migrations, and another technique minimizes skew by implementing a corun bonus mechanism. Skew between schedulable contexts may be calculated based on guest progress, where guest progress represents time spent executing guest operating system and guest application code. A non-linear skew catch-up algorithm is described that adjusts the progress of a context when the progress falls far behind its sibling contexts.

Abstract: At least one guest system, for example, a virtual machine, is connected to a host system, which includes a system resource such as system machine memory. Each guest system includes a guest operating system (OS). A resource requesting mechanism, preferably a driver, is installed within each guest OS and communicates with a resource scheduler included within the host system. If the host system needs any one the guest systems to relinquish some of the system resource it currently is allocated, then the resource scheduler instructs the driver within that guest system's OS to reserve more of the resource, using the guest OS's own, native resource allocation mechanisms. The driver thus frees this resource for use by the host, since the driver does not itself actually need the requested amount of the resource. The driver in each guest OS thus acts as a hollow “balloon” to “inflate” or “deflate,” that is, reserve more or less of the system resource via the corresponding guest OS.

Abstract: One or more embodiments of the present invention provide a technique for effectively managing virtualized computing systems with an unlimited number of hardware resources. Host systems included in a virtualized computer system are organized into a scalable, peer-to-peer (P2P) network in which host systems arrange themselves into a network overlay to communicate with one another. The network overlay enables the host systems to perform a variety of operations, which include dividing computing resources of the host systems among a plurality of virtual machines (VMs), load balancing VMs across the host systems, and performing an initial placement of a VM in one of the host systems.

Abstract: A cache in a computer system is configured with a plurality of monitoring slices, each comprising a separately addressable partition of the cache. With each monitoring slice is associated a respective sub-range of a hash function, which has a range that includes at least the addressable partitions of the cache that comprise the monitoring slices. For each of a stream of location identifiers submitted by at least one entity, a respective location identifier hash value is computed and used to determine in which, if any, monitoring slice-associated hash function sub-range the location identifier hash value falls. For at least one of the monitoring slices, a frequency value is determined as a function of how many of the location identifier hash values fell into the slice's associated hash function sub-range, and a respective cache utility value is then computed as a function of each monitoring slice's frequency value.