Abstract: Systems and methods for caching metadata. In some embodiments, in response to an access request comprising an application memory address, it may be determined whether the application memory address matches an entry of at least one cache. In response to determining that the application memory address does not match any entry of the at least one cache: the application memory address may be used to retrieve application data; the application memory address may be mapped to at least one metadata memory address; and the at least one metadata memory address may be used to retrieve metadata corresponding to the application memory address. An entry in the at least one cache may be created, wherein: the entry is indexed by the application memory address; and the entry stores both the application data retrieved using the application memory address, and the corresponding metadata retrieved using the at least one metadata memory address.

Abstract: Systems and methods for updating metadata. In some embodiments, in response to detecting an instruction executed by a hardware system, a source location of the instruction may be identified. First metadata associated with the instruction may be used to determine whether the instruction is allowed. In response to determining that the instruction is allowed, the source location of the instruction may be associated with second metadata.

Abstract: According to at least one aspect, a hardware system include a host processor, a policy engine, and an interlock is provided. These components can interoperate to enforce security policies. The host processor can execute an instruction and provide instruction information to the policy engine and the result of the executed instruction to the interlock. The policy engine can determine whether the executed instruction is allowable according to one or more security policies using the instruction information. The interlock can buffer the result of the executed instruction until an indication is received from the policy engine that the instruction was allowable. The interlock can then release the result of the executed instruction. The policy engine can be configured to transform instructions received from the host processor or add inserted instructions to the policy evaluation pipeline to increase the flexibility of the policy engine and enable enforcement of the security policies.

Abstract: A system including at least one processor programmed to identify, based on a policy to be enforced, one or more metadata symbols corresponding to an entity name; identify, from a target description describing a target system, an entity description matching the entity name, wherein the entity description describes an entity of the target system; and apply a metadata label to the entity of the target system, wherein the metadata label is based on the one or more metadata symbols corresponding to the entity name, as identified based on the policy.

Abstract: Systems and methods for compartmentalization. In some embodiments, in response to receiving a compartment update request, a target compartment of a compartment transition triggering the compartment update request may be determined, and a compartment configuration corresponding to the target compartment may be loaded, wherein the compartment configuration indicates at least one address range associated with the target compartment.

Abstract: According to at least one aspect, a hardware system include a host processor, a policy engine, and an interlock is provided. These components can interoperate to enforce security policies. The host processor can execute an instruction and provide instruction information to the policy engine and the result of the executed instruction to the interlock. The policy engine can determine whether the executed instruction is allowable according to one or more security policies using the instruction information. The interlock can buffer the result of the executed instruction until an indication is received from the policy engine that the instruction was allowable. The interlock can then release the result of the executed instruction. The policy engine can be configured to transform instructions received from the host processor or add inserted instructions to the policy evaluation pipeline to increase the flexibility of the policy engine and enable enforcement of the security policies.

Abstract: Systems and methods for on-demand loading of metadata. In some embodiments, in response to receiving a page fault service request from an operating system kernel, at least one first physical page may be allocated in an application memory for a virtual address indicated in the page fault service request. Metadata may be loaded into at least one second physical page in a metadata memory, wherein: the at least one second physical page in the metadata memory corresponds to the at least one first physical page in the application memory; and the metadata loaded into the at least one second physical page corresponds to application data loaded into the at least one first physical page.

Abstract: Systems and methods for violation processing. In some embodiments, in response to detecting a policy violation, tag processing hardware may enter a violation processing mode, and may cause a host processor to begin executing violation processing code. The tag processing hardware may continue checking one or more instructions in an instruction queue. In response to encountering, in the instruction queue, an instruction of the violation processing code, the tag processing hardware may exit the violation processing mode.

Abstract: Systems and methods for metadata processing. In some embodiments, a target address may be received from a host processor. The target address may be used to access mapping information and decoding information, the mapping information and the decoding information being associated with the target address. The mapping information may be used to map the target address to a metadata address. The metadata address may be used to retrieve metadata, and the decoding information may be used to decode the retrieved metadata.

Abstract: Systems and methods for stalling a host processor. In some embodiments, the host processor may be caused to initiate one or more selected transactions, wherein the one or more selected transactions comprise a bus transaction. The host processor may be prevented from completing the one or more selected transactions, to thereby stall the host processor.

Abstract: Systems and methods for caching metadata. In some embodiments, in response to an access request comprising an application memory address, it may be determined whether the application memory address matches an entry of at least one cache. In response to determining that the application memory address does not match any entry of the at least one cache: the application memory address may be used to retrieve application data; the application memory address may be mapped to at least one metadata memory address; and the at least one metadata memory address may be used to retrieve metadata corresponding to the application memory address. An entry in the at least one cache may be created, wherein: the entry is indexed by the application memory address; and the entry stores both the application data retrieved using the application memory address, and the corresponding metadata retrieved using the at least one metadata memory address.

Abstract: Systems and methods for updating metadata. In some embodiments, in response to detecting an instruction executed by a hardware system, a source location of the instruction may be identified. First metadata associated with the instruction may be used to determine whether the instruction is allowed. In response to determining that the instruction is allowed, the source location of the instruction may be associated with second metadata.

Abstract: In some embodiments, a system is provided, comprising enforcement hardware configured to execute, at run time, a state machine in parallel with application code. Executing the state machine may include: maintaining metadata that corresponds to one or more state variables of the state machine; matching instructions in the application code to transitions in the state machine; and, in response to determining that an instruction in the application code does not match any transition from a current state of the state machine, causing an error handling routine to be executed. In some embodiments, a description of a state machine may be translated into at least one policy to be enforced at run time based on metadata labels associated with application code and/or data manipulated by the application code.

Abstract: A system including at least one processor programmed to translate a policy into policy code, wherein: the policy is provided in a policy language; the policy code is in a programming language that is different from the policy language; and the policy includes a statement that maps an entity name to one or more metadata symbols to be associated with an entity in a target system against which the policy is to be enforced.

Abstract: A system including at least one processor programmed to identify, based on a policy to be enforced, one or more metadata symbols corresponding to an entity name; identify, from a target description describing a target system, an entity description matching the entity name, wherein the entity description describes an entity of the target system; and apply a metadata label to the entity of the target system, wherein the metadata label is based on the one or more metadata symbols corresponding to the entity name, as identified based on the policy.

Abstract: Systems and methods for stalling a host processor. In some embodiments, the host processor may be caused to initiate one or more selected transactions, wherein the one or more selected transactions comprise a bus transaction. The host processor may be prevented from completing the one or more selected transactions, to thereby stall the host processor.

Abstract: Systems and methods for metadata processing. The method comprises acts of associating, in a first system, metadata with application data processed by a host processor, wherein the application data is protected within the first system by one or more first policies using the metadata, and transferring the application data and its associated metadata to a second system in which the application data is unprotected using metadata processing or is protected by one or more second policies different from the one or more first policies.

Abstract: In some embodiments, a system is provided, comprising enforcement hardware configured to execute, at run time, a state machine in parallel with application code. Executing the state machine may include maintaining metadata that corresponds to one or more state variables of the state machine; matching instructions in the application code to transitions in the state machine; and, in response to determining that an instruction in the application code does not match any transition from a current state of the state machine, causing an error handling routine to be executed. In some embodiments, a description of a state machine may be translated into at least one policy to be enforced at run time based on metadata labels associated with application code and/or data manipulated by the application code.

Abstract: A system including at least one processor programmed to identify, based on a policy to be enforced, one or more metadata symbols corresponding to an entity name; identify, from a target description describing a target system, an entity description matching the entity name, wherein the entity description describes an entity of the target system; and apply a metadata label to the entity of the target system, wherein the metadata label is based on the one or more metadata symbols corresponding to the entity name, as identified based on the policy.

Abstract: Systems and methods for stalling a host processor. In some embodiments, the host processor may be caused to initiate one or more selected transactions, wherein the one or more selected transactions comprise a bus transaction. The host processor may be prevented from completing the one or more selected transactions, to thereby stall the host processor.