Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes scan manager to identify a physical memory address that has recently been accessed. The physical memory address is identified as having been recently accessed when an access has occurred within a threshold of a current time. The apparatus also includes a scanner to scan a threshold amount of memory beginning at the physical memory address, and determine whether the memory included in the threshold amount of memory includes a pattern indicative of malware.

Abstract: In one embodiment, an apparatus comprises a processor configured to: detect a first control transfer operation; determine that a destination of the first control transfer operation is within code stored in execute-only memory; generate a fault if the destination of the first control transfer operation is an invalid entry point into the code stored in execute-only memory; detect a second control transfer operation while executing the code stored in execute-only memory; and abort execution of the code stored in execute-only memory if the second control transfer operation is detected at an invalid exit point in the code.

Abstract: A method comprises filtering branch trap events at a branch event filter, monitoring a branch event filter to capture indirect branch trap events that cause a control flow trap exception, receiving the indirect branch trap events at a handler and the handler processing the indirect branch trap events.

Abstract: Technologies for indirect branch target security include a computing device having a processor to execute an indirect branch instruction. The processor may determine an indirect branch target of the indirect branch instruction, load a memory tag associated with the indirect branch target, and determine whether the memory tag is set. The processor may generate a security fault if the memory tag is not set. The processor may load an encrypted indirect branch target, decrypt the encrypted branch target using an activation record key stored in an activation key register, and perform a jump to the indirect branch target. The processor may generate a next activation record coordinate as a function of the activation record key and a return address of a call instruction and generate the next activation record key as a function of the next activation record coordinate. Other embodiments are described and claimed.

Abstract: Various embodiments are generally directed to techniques for detecting malware in a manner that mitigates the consumption of processing and/or storage resources of a processing device. An apparatus may include a first processor component of a processing device to generate entries in a chronological order within a first page modification log maintained within a first storage divided into multiple pages, each entry to indicate a write access made by the first processor component to a page of the multiple pages; a retrieval component of a graphics controller of the processing device to recurringly retrieve indications from the first page modification log of at least one recently written page of the multiple pages; and a scan component of the graphics controller to recurringly scan the at least one recently written page to detect malware within the at least one recently written page.

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.

Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes a walker to traverse a paging structure of an address translation system; a bit analyzer to determine whether a bit associated with an entry of the paging structure is indicative of the entry being recently accessed; an address identifier to, when the bit analyzer determines that the bit associated with the entry of the paging structure is indicative of the entry being recently accessed, determine an address associated with the entry; and an outputter to provide the determined address to a memory scanner.

Abstract: Systems and methods for validating virtual address translation. An example processing system comprises: a processing core to execute a first application associated with a first privilege level and a second application associated with a second privilege level, wherein a first set of privileges associated with the first privilege level includes a second set of privileges associated with the second privilege level; and an address validation component to validate, in view of an address translation data structure maintained by the first application, a mapping of a first address defined in a first address space of the second application to a second address defined in a second address space of the second application.

Abstract: In one embodiment, a processor comprises: a first storage including a plurality of entries to store an address of a portion of a memory in which information has been modified; a second storage to store an identifier of a process for which information is to be stored into the first storage; and a first logic to identify a modification to a first portion of the memory and store a first address of the first portion of the memory in a first entry of the first storage, responsive to a determination that a current identifier of a current process corresponds to the identifier stored in the second storage. Other embodiments are described and claimed.

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for controlled memory view switching. The system may include a memory module comprising a shared address space between a first memory view and a second memory view. The system may also include a virtual machine monitor (VMM) to maintain a list of Controlled View Switch (CVS) descriptors. The system may further include a processor to receive a memory view switch request and to execute an instruction to save processor state information and switch from the first memory view to the second memory view, wherein the second memory view is specified by an extended page table pointer (EPTP) provided by one of the CVS descriptors.

Abstract: Various embodiments are generally directed to techniques for detecting malware in a manner that mitigates the consumption of processing and/or storage resources of a processing device. An apparatus may include a first processor component of a processing device to generate entries in a chronological order within a first page modification log maintained within a first storage divided into multiple pages, each entry to indicate a write access made by the first processor component to a page of the multiple pages; a retrieval component of a graphics controller of the processing device to recurringly retrieve indications from the first page modification log of at least one recently written page of the multiple pages; and a scan component of the graphics controller to recurringly scan the at least one recently written page to detect malware within the at least one recently written page.

Abstract: Solutions for controlling data exposure among computing entities are described. A data transfer agent (DTA) module includes a data payload portion to store information content conditionally transferable to at least one other DTA module, and a code portion containing instructions that operationally implement: a DTA connectivity link to the at least one other DTA module; an attestation module to obtain, via the DTA connectivity link, attestation from each of the at least one other DTA module indicating a data output connectivity configuration of that other DTA module; and a decision module to determine a degree of permissible interaction with each of the at least one other DTA module based the attestation and on decision criteria.

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for protecting confidential data with transactional processing in execute-only memory. The system may include a memory module configured to store an execute-only code page. The system may also include a transaction processor configured to enforce a transaction region associated with at least a portion of the code page. The system may further include a processor configured to execute a load instruction fetched from the code page, the load instruction configured to load at least a portion of the confidential data from an immediate operand of the load instruction if a transaction mode of the transaction region is enabled.

Abstract: Technologies for execute only transactional memory include a computing device with a processor and a memory. The processor includes an instruction translation lookaside buffer (iTLB) and a data translation lookaside buffer (dTLB). In response to a page miss, the processor determines whether a page physical address is within an execute only transactional (XOT) range of the memory. If within the XOT range, the processor may populate the iTLB with the page physical address and prevent the dTLB from being populated with the page physical address. In response to an asynchronous change of control flow such as an interrupt, the processor determines whether a last iTLB translation is within the XOT range. If within the XOT range, the processor clears or otherwise secures the processor register state. The processor ensures that an XOT range starts execution at an authorized entry point. Other embodiments are described and claimed.

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for secure memory page mapping in a virtual machine (VM) environment. The system may include a processor configured to execute a virtual machine monitor (VMM). The VMM may be configured to maintain a table of cryptographic keys and associate a token with one of the memory pages to be mapped from a guest linear address (GLA) to a guest physical address (GPA). The token may include a key identifier (key ID) associated with one of the cryptographic keys, and an authentication code based on the GLA, the GPA, and one of the cryptographic keys. The system may also include a page walk processor configured to validate the token to indicate that the memory page associated with the token is authorized to be mapped from the GLA to the GPA.

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for protecting confidential data with transactional processing in execute-only memory. The system may include a memory module configured to store an execute-only code page. The system may also include a transaction processor configured to enforce a transaction region associated with at least a portion of the code page. The system may further include a processor configured to execute a load instruction fetched from the code page, the load instruction configured to load at least a portion of the confidential data from an immediate operand of the load instruction if a transaction mode of the transaction region is enabled.

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a page table edit controller configured to control access to guest page tables by virtual machine (VM) guest software through the manipulation of extended page tables. The system may include a translation look-aside buffer (TLB) to maintain a policy to lock one or more guest linear addresses (GLAs) to one or more allowable guest physical addresses (GPAs); a page walk processor to update the TLB based on the guest page tables; and a page table edit control (PTEC) module to: identify entries of the guest page tables that map GLAs associated with the policy to a first GPA; verify that the mapping conforms to the policy; and place the guest page table into one of a plurality of restricted accessibility states based on the verification, the restricted accessibility applied to the VM guests and to the page walk processor.