Abstract: Systems and methods for on-demand loading of metadata. In some embodiments, in response to receiving a page fault service request from an operating system kernel, at least one first physical page may be allocated in an application memory for a virtual address indicated in the page fault service request. Metadata may be loaded into at least one second physical page in a metadata memory, wherein: the at least one second physical page in the metadata memory corresponds to the at least one first physical page in the application memory; and the metadata loaded into the at least one second physical page corresponds to application data loaded into the at least one first physical page.

Abstract: Systems and methods for stalling a host processor. In some embodiments, the host processor may be caused to initiate one or more selected transactions, wherein the one or more selected transactions comprise a bus transaction. The host processor may be prevented from completing the one or more selected transactions, to thereby stall the host processor.

Abstract: Systems and methods for updating metadata. In some embodiments, in response to detecting an instruction executed by a hardware system, a source location of the instruction may be identified. First metadata associated with the instruction may be used to determine whether the instruction is allowed. In response to determining that the instruction is allowed, the source location of the instruction may be associated with second metadata.

Abstract: Systems and methods for metadata processing. In some embodiments, one or more metadata inputs may be processed to determine whether to allow an instruction. For instance, one or more classification bits may be identified from a metadata input of the one or more metadata inputs, and the metadata input may be processed based on the one or more classification bits.

Abstract: Systems and methods for enforcing one or more policies that are encoded as programmable hardware functions. In some embodiments, tag processing hardware may receive information relating to one or more instructions executed by a host system. The information may be used to construct an input pattern, which may be processed, in hardware, to obtain at least one indicator. The tag processing hardware may then determine whether the at least one indicator matches at least one parameter that is selected based on one or more policies being enforced by the tag processing hardware. In response to determining that the at least one indicator does not match the at least one parameter, the tag processing hardware may send a signal to the host system to indicate a violation of the one or more policies.

Abstract: Systems and methods for metadata processing. In some embodiments, one or more metadata inputs may be processed to determine whether to allow an instruction. For instance, one or more classification bits may be identified from a metadata input of the one or more metadata inputs, and the metadata input may be processed based on the one or more classification bits.

Abstract: In some embodiments, a system is provided, comprising enforcement hardware configured to execute, at run time, a state machine in parallel with application code. Executing the state machine may include: maintaining metadata that corresponds to one or more state variables of the state machine; matching instructions in the application code to transitions in the state machine; and, in response to determining that an instruction in the application code does not match any transition from a current state of the state machine, causing an error handling routine to be executed. In some embodiments, a description of a state machine may be translated into at least one policy to be enforced at run time based on metadata labels associated with application code and/or data manipulated by the application code.

Abstract: Systems and methods for caching metadata. In some embodiments, in response to an access request comprising an application memory address, it may be determined whether the application memory address matches an entry of at least one cache. In response to determining that the application memory address does not match any entry of the at least one cache: the application memory address may be used to retrieve application data; the application memory address may be mapped to at least one metadata memory address; and the at least one metadata memory address may be used to retrieve metadata corresponding to the application memory address. An entry in the at least one cache may be created, wherein: the entry is indexed by the application memory address; and the entry stores both the application data retrieved using the application memory address, and the corresponding metadata retrieved using the at least one metadata memory address.

Abstract: Systems and methods for updating metadata. In some embodiments, processing hardware may receive an input metadata pattern associated with an instruction executed by a host processor. The input metadata pattern may comprise: one or more first input metadata labels associated with the instruction and/or a state of the host processor; and one or more second input metadata labels associated, respectively, with one or more registers used by the instruction and/or one or more memory locations referenced by the instruction. The processing hardware may generate an output metadata pattern, wherein: the one or more first input metadata labels are used to determine how to process the one or more second input metadata labels to generate the output metadata pattern.

Abstract: Systems and methods for caching metadata. In some embodiments, in response to an access request comprising an application memory address, it may be determined whether the application memory address matches an entry of at least one cache. In response to determining that the application memory address does not match any entry of the at least one cache: the application memory address may be used to retrieve application data; the application memory address may be mapped to at least one metadata memory address; and the at least one metadata memory address may be used to retrieve metadata corresponding to the application memory address. An entry in the at least one cache may be created, wherein: the entry is indexed by the application memory address; and the entry stores both the application data retrieved using the application memory address, and the corresponding metadata retrieved using the at least one metadata memory address.

Abstract: Systems and methods for updating metadata. In some embodiments, in response to detecting an instruction executed by a hardware system, a source location of the instruction may be identified. First metadata associated with the instruction may be used to determine whether the instruction is allowed. In response to determining that the instruction is allowed, the source location of the instruction may be associated with second metadata.

Abstract: According to at least one aspect, a hardware system include a host processor, a policy engine, and an interlock is provided. These components can interoperate to enforce security policies. The host processor can execute an instruction and provide instruction information to the policy engine and the result of the executed instruction to the interlock. The policy engine can determine whether the executed instruction is allowable according to one or more security policies using the instruction information. The interlock can buffer the result of the executed instruction until an indication is received from the policy engine that the instruction was allowable. The interlock can then release the result of the executed instruction. The policy engine can be configured to transform instructions received from the host processor or add inserted instructions to the policy evaluation pipeline to increase the flexibility of the policy engine and enable enforcement of the security policies.

Abstract: A system including at least one processor programmed to identify, based on a policy to be enforced, one or more metadata symbols corresponding to an entity name; identify, from a target description describing a target system, an entity description matching the entity name, wherein the entity description describes an entity of the target system; and apply a metadata label to the entity of the target system, wherein the metadata label is based on the one or more metadata symbols corresponding to the entity name, as identified based on the policy.

Abstract: Systems and methods for compartmentalization. In some embodiments, in response to receiving a compartment update request, a target compartment of a compartment transition triggering the compartment update request may be determined, and a compartment configuration corresponding to the target compartment may be loaded, wherein the compartment configuration indicates at least one address range associated with the target compartment.

Abstract: According to at least one aspect, a hardware system include a host processor, a policy engine, and an interlock is provided. These components can interoperate to enforce security policies. The host processor can execute an instruction and provide instruction information to the policy engine and the result of the executed instruction to the interlock. The policy engine can determine whether the executed instruction is allowable according to one or more security policies using the instruction information. The interlock can buffer the result of the executed instruction until an indication is received from the policy engine that the instruction was allowable. The interlock can then release the result of the executed instruction. The policy engine can be configured to transform instructions received from the host processor or add inserted instructions to the policy evaluation pipeline to increase the flexibility of the policy engine and enable enforcement of the security policies.

Abstract: Systems and methods for on-demand loading of metadata. In some embodiments, in response to receiving a page fault service request from an operating system kernel, at least one first physical page may be allocated in an application memory for a virtual address indicated in the page fault service request. Metadata may be loaded into at least one second physical page in a metadata memory, wherein: the at least one second physical page in the metadata memory corresponds to the at least one first physical page in the application memory; and the metadata loaded into the at least one second physical page corresponds to application data loaded into the at least one first physical page.

Abstract: Systems and methods for violation processing. In some embodiments, in response to detecting a policy violation, tag processing hardware may enter a violation processing mode, and may cause a host processor to begin executing violation processing code. The tag processing hardware may continue checking one or more instructions in an instruction queue. In response to encountering, in the instruction queue, an instruction of the violation processing code, the tag processing hardware may exit the violation processing mode.

Abstract: Systems and methods for metadata processing. In some embodiments, a target address may be received from a host processor. The target address may be used to access mapping information and decoding information, the mapping information and the decoding information being associated with the target address. The mapping information may be used to map the target address to a metadata address. The metadata address may be used to retrieve metadata, and the decoding information may be used to decode the retrieved metadata.

Abstract: Systems and methods for stalling a host processor. In some embodiments, the host processor may be caused to initiate one or more selected transactions, wherein the one or more selected transactions comprise a bus transaction. The host processor may be prevented from completing the one or more selected transactions, to thereby stall the host processor.

Abstract: Systems and methods for caching metadata. In some embodiments, in response to an access request comprising an application memory address, it may be determined whether the application memory address matches an entry of at least one cache. In response to determining that the application memory address does not match any entry of the at least one cache: the application memory address may be used to retrieve application data; the application memory address may be mapped to at least one metadata memory address; and the at least one metadata memory address may be used to retrieve metadata corresponding to the application memory address. An entry in the at least one cache may be created, wherein: the entry is indexed by the application memory address; and the entry stores both the application data retrieved using the application memory address, and the corresponding metadata retrieved using the at least one metadata memory address.