Abstract: Methods and apparatuses relating to switching of a shadow stack pointer are described. In one embodiment, a hardware processor includes a hardware decode unit to decode an instruction, and a hardware execution unit to execute the instruction to: pop a token for a thread from a shadow stack, wherein the token includes a shadow stack pointer for the thread with at least one least significant bit (LSB) of the shadow stack pointer overwritten with a bit value of an operating mode of the hardware processor for the thread, remove the bit value in the at least one LSB from the token to generate the shadow stack pointer, and set a current shadow stack pointer to the shadow stack pointer from the token when the operating mode from the token matches a current operating mode of the hardware processor.

Abstract: In an embodiment, the present invention includes a processor having an execution logic to execute instructions and a control transfer termination (CTT) logic coupled to the execution logic. This logic is to cause a CTT fault to be raised if a target instruction of a control transfer instruction is not a CTT instruction. Other embodiments are described and claimed.

Abstract: Enforcing memory operand types using protection keys is generally described herein. A processor system to provide sandbox execution support for protection key rights attacks includes a processor core to execute a task associated with an untrusted application and execute the task using a designated page of a memory; and a memory management unit to designate the page of the memory to support execution of the untrusted application.

Abstract: In function-as-a-service (FaaS) environments, a client makes use of a function executing within a trusted execution environment (TEE) on a FaaS server. Multiple tenants of the FaaS platform may provide functions to be executed by the FaaS platform via a gateway. Each tenant may provide code and data for any number of functions to be executed within any number of TEEs on the FaaS platform and accessed via the gateway. Additionally, each tenant may provide code and data for a single surrogate attester TEE. The client devices of the tenant use the surrogate attester TEE to attest each of the other TEEs of the tenant and establish trust with the functions in those TEEs. Once the functions have been attested, the client devices have confidence that the other TEEs of the tenant are running on the same platform as the gateway.

Abstract: Example methods and systems are directed to isolating memory in trusted execution environments (TEEs). In function-as-a-service (FaaS) environments, a client makes use of a function executing within a TEE on a FaaS server. To minimize the trusted code base (TCB) for each function, each function may be placed in a separate TEE. However, this causes the overhead of creating a TEE to be incurred for each function. As discussed herein, multiple functions may be placed in a single TEE without compromising the data integrity of each function. For example, by using a different extended page table (EPT) for each function, the virtual address spaces of the functions are kept separate and map to different, non-overlapping physical address spaces. Partial overlap may be permitted to allow functions to share some data while protecting other data. Memory for each function may be encrypted using a different encryption key.

Abstract: A processor of an aspect includes a decode unit to decode an instruction. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine that an attempted change due to the instruction, to a shadow stack pointer of a shadow stack, would cause the shadow stack pointer to exceed an allowed range. The execution unit is also to take an exception in response to determining that the attempted change to the shadow stack pointer would cause the shadow stack pointer to exceed the allowed range. Other processors, methods, systems, and instructions are disclosed.

Abstract: Example methods and systems are directed to reducing latency in providing trusted execution environments (TEES). Initializing a TEE includes multiple steps before the TEE starts executing. Besides workload-specific initialization, workload-independent initialization is performed, such as adding memory to the TEE. In function-as-a-service (FaaS) environments, a large portion of the TEE is workload-independent, and thus can be performed prior to receiving the workload. Certain steps performed during TEE initialization are identical for certain classes of workloads. Thus, the common parts of the TEE initialization sequence may be performed before the TEE is requested. When a TEE is requested for a workload in the class and the parts to specialize the TEE for its particular purpose are known, the final steps to initialize the TEE are performed.

Abstract: Various embodiments are generally directed to techniques for training deep neural networks, such as with an iterative approach, for instance. Some embodiments are particularly directed to a deep neural network (DNN) training system that generates a hardened DNN by iteratively training DNNs with images that were misclassified by previous iterations of the DNN. One or more embodiments, for example, may include logic to generate an adversarial image that is misclassified by a first DNN that was previously trained with a set of sample images. In some embodiments, the logic may determine a second training set that includes the adversarial image that was misclassified by the first DNN and the first training set of one or more sample images. The second training set may be used to train a second DNN. In various embodiments, the above process may be repeated for a predetermined number of iterations to produce a hardened DNN.

Abstract: A processor includes a processor core and a memory controller coupled to the processor core. The memory controller comprising a cryptographic engine to: detect, in a write request for a cache line, a key identifier (ID) within a physical address of a location in memory; determine that the key ID is a trust domain key ID of a plurality of key IDs; responsive to a determination that the key ID is the trust domain key ID, set an ownership bit of the cache line to indicate the cache line belongs to a trust domain; encrypt the cache line to generate encrypted data; determine a message authentication code (MAC) associated with the cache line; and write the encrypted data, the ownership bit, and the MAC of the cache line to the memory.

Abstract: There is disclosed a microprocessor, including: a processing core; and a total memory encryption (TME) engine to provide TME for a first trust domain (TD), and further to: allocate a block of physical memory to the first TD and a first cryptographic key to the first TD; map within an extended page table (EPT) a host physical address (HPA) space to a guest physical address (GPA) space of the TD; create a memory ownership table (MOT) entry for a memory page within the block of physical memory, wherein the MOT table comprises a GPA reverse mapping; encrypt the MOT entry using the first cryptographic key; and append to the MOT entry verification data, wherein the MOT entry verification data enables detection of an attack on the MOT entry.

Abstract: In a method to utilize a secure public cloud, a computer receives a domain manager image and memory position-dependent address information in response to requesting a service from a cloud services provider. The computer also verifies the domain manager image and identifies a key domain key to be used to encrypt data stored in a key domain of a key domain-capable server. The computer also uses the key domain key and the memory-position dependent address information to encrypt a domain launch image such that the encrypted domain launch image is cryptographically bound to at least one memory location of the key domain. The computer also encrypts the key domain key and sends the encrypted domain launch image and the encrypted key domain key to the key domain-capable server, to cause a processor of the key domain-capable server to create the key domain. Other embodiments are described and claimed.

Abstract: Implementations describe a computing system that implements a plurality of virtual machines inside a trust domain (TD), enabled via a secure arbitration mode (SEAM) of the processor. A processor includes one or more registers to store a SEAM range of memory, a TD key identifier of a TD private encryption key. The processor is capable of initializing a trust domain resource manager (TDRM) to manage the TD, and a virtual machine monitor within the TD to manage the plurality of virtual machines therein. The processor is further capable of exclusively associating a plurality of memory pages with the TD, wherein the plurality of memory pages associated with the TD is encrypted with a TD private encryption key inaccessible to the TDRM. The processor is further capable of using the SEAM range of memory, inaccessible to the TDRM, to provide isolation between the TDRM and the plurality of virtual machines.

Abstract: A processing system includes a processing core to execute a virtual machine (VM) comprising a guest operating system (OS) and a memory management unit, communicatively coupled to the processing core, comprising a storage device to store an extended page table entry (EPTE) comprising a mapping from a guest physical address (GPA) associated with the guest OS to an identifier of a memory frame, a first plurality of access right flags associated with accessing the memory frame in a first page mode referenced by an attribute of a memory page identified by the GPA, and a second plurality of access right flags associated with accessing the memory frame in a second page mode referenced by the attribute of the memory page identified by the GPA.

Abstract: A data processing system (DPS) uses platform protection technology (PPT) to protect some or all of the code and data belonging to certain software modules. The PPT may include a virtual machine monitor (VMM) to enable an untrusted application and a trusted application to run on top of a single operating system (OS), while preventing the untrusted application from accessing memory used by the trusted application. The VMM may use a first extended page table (EPT) to translate a guest physical address (GPA) into a first host physical address (HPA) for the untrusted application. The VMM may use a second EPT to translate the GPA into a second HPA for the trusted application. The first and second EPTs may map the same GPA to different HPAs. Other embodiments are described and claimed.

Abstract: Various embodiments are generally directed to techniques for training deep neural networks, such as with an iterative approach, for instance. Some embodiments are particularly directed to a deep neural network (DNN) training system that generates a hardened DNN by iteratively training DNNs with images that were misclassified by previous iterations of the DNN. One or more embodiments, for example, may include logic to generate an adversarial image that is misclassified by a first DNN that was previously trained with a set of sample images. In some embodiments, the logic may determine a second training set that includes the adversarial image that was misclassified by the first DNN and the first training set of one or more sample images. The second training set may be used to train a second DNN. In various embodiments, the above process may be repeated for a predetermined number of iterations to produce a hardened DNN.

Abstract: A processor executes an untrusted VMM that manages execution of a guest workload. The processor also populates an entry in a memory ownership table for the guest workload. The memory ownership table is indexed by an original hardware physical address, the entry comprises an expected guest address that corresponds to the original hardware physical address, and the entry is encrypted with a key domain key. In response to receiving a request from the guest workload to access memory using a requested guest address, the processor (a) obtains, from the untrusted VMM, a hardware physical address that corresponds to the requested guest address; (b) uses that physical address as an index to find an entry in the memory ownership table; and (c) verifies whether the expected guest address from the found entry matches the requested guest address. Other embodiments are described and claimed.

Abstract: A method, system, computer-readable media, and apparatus for ensuring a secure cloud environment is provided, where public cloud services providers can remove their code from the Trusted Computing Base (TCB) of their cloud services consumers. The method for ensuring a secure cloud environment keeps the Virtual Machine Monitor (VMM), devices, firmware and the physical adversary (where a bad administrator/technician attempts to directly access the cloud host hardware) outside of a consumer's Virtual Machine (VM) TCB. Only the consumer that owns this secure VM can modify the VM or access contents of the VM (as determined by the consumer).

Abstract: A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

Abstract: A computer-readable medium comprises instructions that, when executed, cause a processor to execute an untrusted workload manager to manage execution of at least one guest workload.

Abstract: A data processing system (DPS) uses platform protection technology (PPT) to protect some or all of the code and data belonging to certain software modules. The PPT may include a virtual machine monitor (VMM) to enable an untrusted application and a trusted application to run on top of a single operating system (OS), while preventing the untrusted application from accessing memory used by the trusted application. The VMM may use a first extended page table (EPT) to translate a guest physical address (GPA) into a first host physical address (HPA) for the untrusted application. The VMM may use a second EPT to translate the GPA into a second HPA for the trusted application. The first and second EPTs may map the same GPA to different HPAs. Other embodiments are described and claimed.