Abstract: The present disclosure relates to systems and methods implemented on a memory controller for detecting and mitigating memory attacks (e.g., row hammer attacks). For example, a memory controller may engage a counting mode in which activation counts for memory sub-banks are tracked. For example, a memory controller may engage a counting mode in which activation counts for memory rows of memory sub-banks are maintained. Under certain conditions, the memory controller may transition from the counting mode to a sampling mode to mitigate potential row hammer attacks. The memory controller may consider various conditions in determining whether to continue detecting and mitigating potential row hammer attacks in the sampling mode and/or transitioning back to the counting mode. By selectively transitioning between the different operating modes, the memory controller may reduce periods of time when the memory hardware is vulnerable to attacks.

Abstract: Cryptographically-secured deferral tickets provided by a minting process that runs in a secure enclave on a computing device reset an authenticated watchdog timer that reboots the device from a hardware-protected recovery operating system to re-image the device into a known good state if the timer expires. The deferral tickets are written to a secure channel using a symmetric key that is provisioned by repurposing an existing Intel SGX (Software Guard Extension) Versioning Support protocol that enables migration of secrets between enclaves that have the same author. In an illustrative embodiment, the deferral ticket minting process and authenticated watchdog timer execute locally to enable automated recovery of the computing device when utilized in far edge infrastructure of a fifth generation (5G) network such as a distributed unit (DU) of a radio access network (RAN).

Abstract: The present disclosure relates to systems and methods implemented on a memory controller for detecting and mitigating memory attacks (e.g., row hammer attacks). For example, a memory controller may track activations of row addresses within a memory hardware (e.g., a DRAM device) and determine whether a pattern of activations is indicative of a row hammer attack. This is determined using a counting mode for corresponding memory sub-banks. Where a likely row hammer attack is detected, the memory controller may activate a sampling mode (rather than the counting mode) for a particular sub-bank to identify which of the row addresses should be refreshed on the memory hardware. The implementations described herein provide a low computational cost alternative to heavy-handed detection mechanisms that require access to significant computing resources to accurately detect and mitigate row hammer attacks.

Abstract: A health ticket minting process operates in a secure enclave on a computing device to ensure liveness of the enclave should a maliciously-compromised operating system deny service to starve the enclave. Cryptographically-secured health tickets provided by the minting process reset an authenticated watchdog timer (AWDT) that reboots the device from a hardware-protected recovery operating system if the timer expires. The health tickets are written to a secure channel using a symmetric key that is provisioned by repurposing an existing Intel SGX (Software Guard Extension) Versioning Support protocol that enables migration of secrets between enclaves that have the same author. In the event that the enclave fails to make forward progress and health tickets are not minted, then the AWDT expires and forces the reboot and re-imaging to a known good state to evict the malware from the computing device.

Abstract: Cryptographically-secured deferral tickets provided by a minting process that runs in a secure enclave on a computing device reset an authenticated watchdog timer that reboots the device from a hardware-protected recovery operating system to re-image the device into a known good state if the timer expires. The deferral tickets are written to a secure channel using a symmetric key that is provisioned by repurposing an existing Intel SGX (Software Guard Extension) Versioning Support protocol that enables migration of secrets between enclaves that have the same author. In an illustrative embodiment, the deferral ticket minting process and authenticated watchdog timer execute locally to enable automated recovery of the computing device when utilized in far edge infrastructure of a fifth generation (5G) network such as a distributed unit (DU) of a radio access network (RAN).

Abstract: Aspects of the present disclosure relate to techniques for minimizing the effects of RowHammer and induced charge leakage. In examples, systems and methods for preventing access pattern attacks in random-access memory (RAM) are provided. In aspects, a data request associated with a page table may be determined to be a potential security risk and such potential security risk may be mitigated by randomly selecting a memory region from a subset of memory regions, copying data stored in a memory region associated with a page table entry in the page table to the second memory region, disassociating the second memory region from the subset of memory regions and associating the memory region associated with the page table to the second memory region, and updating the page table entry in the page table to refer to the second memory region.

Abstract: A method for improving efficiency of routing edge compute traffic from a user equipment (UE) to an edge compute server at a far edge of a cellular network includes provisioning a near edge control unit (CU) and a near edge user plane function (UPF) at a near edge of the cellular network. The method also includes provisioning a far edge CU, a far edge UPF, and an edge compute workload at the far edge. The method also includes receiving UE traffic at one or more distributed units located at the far edge. The UE traffic includes the edge compute traffic and non-edge compute traffic. The method also includes identifying the edge compute traffic among the UE traffic, routing the edge compute traffic to the edge compute workload at the far edge, and routing the non-edge compute traffic to the near edge UPF at the near edge.

Abstract: Aspects of the present disclosure relate to techniques for minimizing the effects of RowHammer and induced charge leakage. In examples, systems and methods for preventing access pattern attacks in random-access memory (RAM) are provided. In aspects, a data request associated with a page table may be determined to be a potential security risk and such potential security risk may be mitigated by randomly selecting a memory region from a subset of memory regions, copying data stored in a memory region associated with a page table entry in the page table to the second memory region, disassociating the second memory region from the subset of memory regions and associating the memory region associated with the page table to the second memory region, and updating the page table entry in the page table to refer to the second memory region.

Abstract: Systems and methods are provided for offloading a task from a central processor in a radio access network (RAN) server to one or more heterogeneous accelerators. For example, a task associated with one or more operational partitions (or a service application) associated with processing data traffic in the RAN is dynamically allocated for offloading from the central processor based on workload status information. One or more accelerators are dynamically allocated for executing the task, where the accelerators may be heterogeneous and may not comprise pre-programming for executing the task. The disclosed technology further enables generating specific application programs for execution on the respective heterogeneous accelerators based on a single set of program instructions.

Abstract: Aspects of the present disclosure relate to techniques for minimizing the effects of RowHammer and induced charge leakage. In examples, systems and methods for preventing access pattern attacks in random-access memory (RAM) are provided. In aspects, a data request associated with a page table may be determined to be a potential security risk and such potential security risk may be mitigated by randomly selecting a memory region from a subset of memory regions, copying data stored in a memory region associated with a page table entry in the page table to the second memory region, disassociating the second memory region from the subset of memory regions and associating the memory region associated with the page table to the second memory region, and updating the page table entry in the page table to refer to the second memory region.

Abstract: A compromise detection system protects data centers (DCs) or other providers in the cloud. The compromise detection system can detect compromised virtual machines (VMs) through changes in network traffic characteristics while avoiding expensive data collection and preserving privacy. The compromise detection system obtains and uses periodically-obtained flow pattern summaries to detect compromised VMs. Agent-based detection on predetermined and compromised VMs can expose (using supervised learning) the network behavior of compromised VMs and then apply the learned model to all VMs in the DC. The compromise detection system can run continuously, protect the privacy of cloud customers, comply with Europe's General Data Protection Regulation (GDPR), and avoid various techniques that both erode privacy and degrade VM performance.

Abstract: Methods and devices for encoding and decoding data streams are disclosed. In some aspects, the data streams are multimedia data streams. One method disclosed includes obtaining, by a client device, a first multimedia data stream and a second multimedia data stream, the second multimedia data stream being a lower fidelity version of the first multimedia data stream, generating, by the client device, a third multimedia data stream based on differences between the first and second multimedia data streams, compressing, by the client device, the second multimedia data stream to generate a first compressed multimedia data stream, compressing, by the client device, the third multimedia data stream to generate a second compressed multimedia data stream; and transmitting, by the client device, the first and second compressed multimedia data steams to the server.

Abstract: Aspects of the present disclosure relate to techniques for identifying susceptibility to induced charge leakage. In examples, a susceptibility test sequence comprising a cache line flush instruction is used to repeatedly activate a row of a memory unit. The susceptibility test sequence causes induced charge leakage within rows that are physically adjacent to the activated row, such that a physical adjacency map can be generated. In other examples, a physical adjacency map is used to identify a set of adjacent rows to a target row. A susceptibility test sequence is used to repeatedly activate the set of adjacent rows, after which the content of the target row is analyzed to determine whether the any bits of the target row flipped as a result of induced charge leakage. If flipped bits are not identified, an indication is generated that the memory unit is not susceptible to induced charge leakage.

Abstract: Aspects of the present disclosure relate to techniques for identifying susceptibility to induced charge leakage. In examples, a susceptibility test sequence comprising a cache line flush instruction is used to repeatedly activate a row of a memory unit. The susceptibility test sequence causes induced charge leakage within rows that are physically adjacent to the activated row, such that a physical adjacency map can be generated. In other examples, a physical adjacency map is used to identify a set of adjacent rows to a target row. A susceptibility test sequence is used to repeatedly activate the set of adjacent rows, after which the content of the target row is analyzed to determine whether the any bits of the target row flipped as a result of induced charge leakage. If flipped bits are not identified, an indication is generated that the memory unit is not susceptible to induced charge leakage.

Abstract: A server device and method are provided for use in predictive server-side rendering of scenes based on client-side user input. The server device may include a processor and a storage device holding instructions for an application program executable by the processor to receive, at the application program, a current navigation input in a stream of navigation inputs from a client device over a network, calculate a predicted future navigation input based on the current navigation input and a current application state of the application program, render a future scene based on the predicted future navigation input to a rendering surface, and send the rendering surface to the client device over the network.

Abstract: A head mounted display device including a processor configured to compute a rendered rendering surface of a predicted scene having a predicted user viewpoint, the predicted user viewpoint being a prediction of a viewpoint that a user will have at a point in time that was predicted for the user of the head mounted display device prior to the point in time, receive, from the user input device, a subsequent user navigation input near the point in time in the stream of user input, determine an actual user viewpoint based on the subsequent user navigation input, determine a user viewpoint misprediction based on the predicted user viewpoint and the actual user viewpoint, and reconstruct a viewport for the actual user viewpoint from the rendered rendering surface.

Abstract: A compromise detection system protects data centers (DCs) or other providers in the cloud. The compromise detection system can detect compromised virtual machines (VMs) through changes in network traffic characteristics while avoiding expensive data collection and preserving privacy. The compromise detection system obtains and uses periodically-obtained flow pattern summaries to detect compromised VMs. Agent-based detection on predetermined and compromised VMs can expose (using supervised learning) the network behavior of compromised VMs and then apply the learned model to all VMs in the DC. The compromise detection system can run continuously, protect the privacy of cloud customers, comply with Europe's General Data Protection Regulation (GDPR), and avoid various techniques that both erode privacy and degrade VM performance.

Abstract: Technologies pertaining to limiting access to secret data through utilization of sensor-based constraints are described herein. A sensor-based constraint is a constraint that can only be satisfied by predefined readings that may be output by at least one sensor on a mobile computing device. If the sensor on the mobile computing device outputs a reading that satisfies the sensor-based constraint, secret data is provided to a requesting application. Otherwise, the requesting application is prevented from accessing the secret data.

Abstract: A server device and method are provided for use in predictive server-side rendering of scenes based on client-side user input. The server device may include a processor and a storage device holding instructions for an application program executable by the processor to receive, at the application program, a current navigation input in a stream of navigation inputs from a client device over a network, calculate a predicted future navigation input based on the current navigation input and a current application state of the application program, render a future scene based on the predicted future navigation input to a rendering surface, and send the rendering surface to the client device over the network.

Abstract: A classification system classifies different aspects of content of an input image stream, such as faces, landmarks, events, and so forth. The classification system includes a general classifier and at least one specialized classifier template. The general classifier is trained to classify a large number of different aspects of content, and a specialized classifier can be trained based on a specialized classifier template during operation of the classification system to classify a particular subset of the multiple different aspects of content. The classification system determines when to use the general classifier and when to use a specialized classifier based on class skew, which refers to the temporal locality of a subset of aspects of content in the image stream.