Abstract: Embodiments are directed to collision-free hashing for accessing cryptographic computing metadata and for cache expansion. An embodiment of an apparatus includes one or more processors to compute a plurality of hash functions that combine additions, bit-level reordering, bit-linear mixing, and wide substitutions, wherein each of the plurality of hash functions differs in one of the additions, the bit-level reordering, the wide substitutions, or the bit-linear mixing; and access a hash table utilizing results of the plurality of hash functions.

Abstract: The disclosed embodiments relate to system, method and apparatus to compartmentalize information in a program so as to protect against malware. In one embodiment, the disclosed provides a compiler that is enhanced to automatically define multiple compartments within a program based on the data sets that they access. The disclosed embodiments may be implemented at a compiler and certain embodiments may be referred to as compartmentalizing compiler. For each data set, an exemplary compartmentalizing compiler separates program elements that need direct access to the data set from those that do not and it defines a boundary around the data set and the program elements that need to access it. In certain embodiments, other portions of the program may still need to invoke the compartment. Thus, the disclosure also generates interface routines to copy data back and forth through the compartment boundary.

Abstract: An example apparatus includes a scan manager to add a portion of a page of physical memory from a first sequence of mappings to a second sequence of mappings in response to determining the second sequence includes an address corresponding to the portion of the page of physical memory, and a scanner to scan the first sequence and the second sequence to determine whether at least one of first data in the first sequence or second data in the second sequence includes a pattern indicative of malware.

Abstract: Embodiments are directed toward techniques to detect a first function associated with an address space initiating a call instruction to a second function in the address space, the first function to call the second function in a deprivileged mode of operation, and define accessible address ranges for segments of the address space for the second function, each segment to a have a different address range in the address space where the second function is permitted to access in the deprivileged mode of operation, Embodiments include switching to the stack associated with the second address space and the second function, and initiating execution of the second function in the deprivileged mode of operation.

Abstract: Systems, methods, and apparatuses relating to circuitry to implement individually revocable capabilities for enforcing temporal memory safety are described. In one embodiment, a hardware processor comprises an execution unit to execute an instruction to request access to a block of memory through a pointer to the block of memory, and a memory controller circuit to allow access to the block of memory when an allocated object tag in the pointer is validated with an allocated object tag in an entry of a capability table in memory that is indexed by an index value in the pointer, wherein the memory controller circuit is to clear the allocated object tag in the capability table when a corresponding object is deallocated.

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

Abstract: An apparatus and method for efficient process-based compartmentalization.

Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.

Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.

Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.

Abstract: Systems, apparatuses and methods may provide for technology that stores a security monitor at a first location in an address space, wherein the security monitor is to control requests to use a security-critical instruction at a second location in the address space, and wherein the second location is in the first set of locations. The technology also installs a control instruction at an entry point to the security monitor, wherein the control instruction is to restrict indirect branch targets, and excludes the control instruction from all locations in the first set of locations that are not entry points.

Abstract: Embodiments of systems, apparatuses and methods provide enhanced function as a service (FaaS) to users, e.g., computer developers and cloud service providers (CSPs). A computing system configured to provide such enhanced FaaS service include one or more controls architectural subsystems, software and orchestration subsystems, network and storage subsystems, and security subsystems. The computing system executes functions in response to events triggered by the users in an execution environment provided by the architectural subsystems, which represent an abstraction of execution management and shield the users from the burden of managing the execution. The software and orchestration subsystems allocate computing resources for the function execution by intelligently spinning up and down containers for function code with decreased instantiation latency and increased execution scalability while maintaining secured execution.

Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes an address identifier to, when an entry of a paging structure has been accessed, determine a first address corresponding to a page of physical memory when the entry of the paging structure maps to the page of the physical memory; and a scanner to: scan a threshold amount of memory beginning at a physical memory address corresponding to the first address; and determine whether the threshold amount of memory includes a pattern indicative of malware.

Abstract: An apparatus and method for efficient process-based compartmentalization.

Abstract: An apparatus and method for memory management using compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data, at least one instruction to generate a system memory access request using a first linear address; and address translation circuitry to perform a first walk operation through a set of one or more address translation tables to translate the first linear address to a first physical address, the address translation circuitry to concurrently perform a second walk operation through a set of one or more linear address metadata tables to identify metadata associated with the linear address, and to use one or more portions of the metadata to validate access by the at least one instruction to the first physical address.

Abstract: Systems, methods, and apparatuses relating to circuitry to implement individually revocable capabilities for enforcing temporal memory safety are described. In one embodiment, a hardware processor comprises an execution unit to execute an instruction to request access to a block of memory through a pointer to the block of memory, and a memory controller circuit to allow access to the block of memory when an allocated object tag in the pointer is validated with an allocated object tag in an entry of a capability table in memory that is indexed by an index value in the pointer, wherein the memory controller circuit is to clear the allocated object tag in the capability table when a corresponding object is deallocated.

Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.

Abstract: An apparatus and method for efficient process-based compartmentalization.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: Enforcing memory operand types using protection keys is generally described herein. A processor system to provide sandbox execution support for protection key rights attacks includes a processor core to execute a task associated with an untrusted application and execute the task using a designated page of a memory; and a memory management unit to designate the page of the memory to support execution of the untrusted application.