Abstract: A method of and system for performing metadata tag compression in security policy enforcement system may comprise conveying a set of data elements, each with an associated metadata tag, from a first processor subsystem to a second processor subsystem. The first processor subsystem may be configured to process conventional tasks, the second processor configured to apply one or more policy decisions to the data element. The conveying may further comprise sending the set of data elements along with an index element that identifies one or more metadata tags, and sending one or more of the metadata tags identified by the index element.

Abstract: A method of enforcing a set of security policies may comprise executing, by a first processor, a first set of processor instructions directed to conventional tasks, and executing, by a second processor, a second set of processor instructions directed to manipulating metadata. The executing by the second processor may comprise (i) evaluating a current instruction being executed by the first processor, along with a metadata tag associated with the current instruction, (ii) identifying a rule in a rule cache that is applicable to the current instruction and the associated metadata tag, and (iii) applying a policy decision to the current instruction according to the rule.

Abstract: A method of and system for performing metadata tag compression in security policy enforcement system may comprise conveying a set of data elements, each with an associated metadata tag, from a first processor subsystem to a second processor subsystem. The first processor subsystem may be configured to process conventional tasks, the second processor configured to apply one or more policy decisions to the data element. The conveying may further comprise sending the set of data elements along with an index element that identifies one or more metadata tags, and sending one or more of the metadata tags identified by the index element.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: A system and method of processing instructions may comprise an application processing domain (APD) and a metadata processing domain (MTD). The APD may comprise an application processor executing instructions and providing related information to the MTD. The MTD may comprise a tag processing unit (TPU) having a cache of policy-based rules enforced by the MTD. The TPU may determine, based on policies being enforced and metadata tags and operands associated with the instructions, that the instructions are allowed to execute (i.e., are valid). The TPU may write, if the instructions are valid, the metadata tags to a queue. The queue may (i) receive operation output information from the application processing domain, (ii) receive, from the TPU, the metadata tags, (iii) output, responsive to receiving the metadata tags, resulting information indicative of the operation output information and the metadata tags; and (iv) permit the resulting information to be written to memory.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, satiety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: A system and method for metadata processing that can be used to encode an arbitrary number of security policies for code running on a stored-program processor. This disclosure adds metadata to every word in the system and adds a metadata processing unit that works in parallel with data flow to enforce an arbitrary set of policies, such that metadata is unbounded and software programmable to be applicable to a wide range of metadata processing policies. This instant disclosure is applicable to a wide range of uses including safety, security, and synchronization.

Abstract: A method of and system for performing metadata tag compression in security policy enforcement system may comprise conveying a set of data elements, each with an associated metadata tag, from a first processor subsystem to a second processor subsystem. The first processor subsystem may be configured to process conventional tasks, the second processor configured to apply one or more policy decisions to the data element. The conveying may further comprise sending the set of data elements along with an index element that identifies one or more metadata tags, and sending one or more of the metadata tags identified by the index element.

Abstract: A method of enforcing a set of security policies may comprise executing, by a first processor, a first set of processor instructions directed to conventional tasks, and executing, by a second processor, a second set of processor instructions directed to manipulating metadata. The executing by the second processor may comprise (i) evaluating a current instruction being executed by the first processor, along with a metadata tag associated with the current instruction, (ii) identifying a rule in a rule cache that is applicable to the current instruction and the associated metadata tag, and (iii) applying a policy decision to the current instruction according to the rule.

Abstract: In an embodiment, a method includes, in a hardware processor, determining, for a processor instruction, a rule for matching a predicted memory tag. The method further includes determining a predicted memory tag based on applying the rule for matching the predicted memory tag. The method further includes determining an R tag based on applying the rule. The method further includes obtaining an actual memory tag from memory based on an operand of the processor instruction. The method further includes determining whether the predicted memory tag and the actual memory tag match. The method further includes, if the predicted memory tag and actual memory tag match, using the R tag as the R tag output.

Abstract: A method includes receiving, for metadata processing, a current instruction with a associated metadata tags. The metadata processing is performed in a metadata processing domain isolated from a code execution domain including the current instruction. Each respective associated metadata tag representing a respective policy of the composite policy. The associated metadata tags further including pointers to tags of a component policy of the composite policy. For each respective metadata tag, the method includes determining, in the metadata processing domain and in accordance with the metadata tag and the current instruction, whether a rule exists in a rule cache for the current instruction. The rule cache including rules on metadata used by said metadata processing to define allowed instructions. The determination of whether a rule exists resulting in a respective output.

Abstract: A system and method for metadata processing that can be used to encode an arbitrary number of security policies for code running on a stored-program processor. This disclosure adds metadata to every word in the system and adds a metadata processing unit that works in parallel with data flow to enforce an arbitrary set of policies, such that metadata is unbounded and software programmable to be applicable to a wide range of metadata processing policies. This instant disclosure is applicable to a wide range of uses including safety, security, and synchronization.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.