Abstract: A system and method of processing instructions may comprise an application processing domain (APD) and a metadata processing domain (MTD). The APD may comprise an application processor executing instructions and providing related information to the MTD. The MTD may comprise a tag processing unit (TPU) having a cache of policy-based rules enforced by the MTD. The TPU may determine, based on policies being enforced and metadata tags and operands associated with the instructions, that the instructions are allowed to execute (i.e., are valid). The TPU may write, if the instructions are valid, the metadata tags to a queue. The queue may (i) receive operation output information from the application processing domain, (ii) receive, from the TPU, the metadata tags, (iii) output, responsive to receiving the metadata tags, resulting information indicative of the operation output information and the metadata tags; and (iv) permit the resulting information to be written to memory.

Abstract: A system and method of processing instructions may comprise an application processing domain (APD) and a metadata processing domain (MTD). The APD may comprise an application processor executing instructions and providing related information to the MTD. The MTD may comprise a tag processing unit (TPU) having a cache of policy-based rules enforced by the MTD. The TPU may determine, based on policies being enforced and metadata tags and operands associated with the instructions, that the instructions are allowed to execute (i.e., are valid). The TPU may write, if the instructions are valid, the metadata tags to a queue. The queue may (i) receive operation output information from the application processing domain, (ii) receive, from the TPU, the metadata tags, (iii) output, responsive to receiving the metadata tags, resulting information indicative of the operation output information and the metadata tags; and (iv) permit the resulting information to be written to memory.

Abstract: A system and method of processing instructions may comprise an application processing domain (APD) and a metadata processing domain (MTD). The APD may comprise an application processor executing instructions and providing related information to the MTD. The MTD may comprise a tag processing unit (TPU) having a cache of policy-based rules enforced by the MTD. The TPU may determine, based on policies being enforced and metadata tags and operands associated with the instructions, that the instructions are allowed to execute (i.e., are valid). The TPU may write, if the instructions are valid, the metadata tags to a queue. The queue may (i) receive operation output information from the application processing domain, (ii) receive, from the TPU, the metadata tags, (iii) output, responsive to receiving the metadata tags, resulting information indicative of the operation output information and the metadata tags; and (iv) permit the resulting information to be written to memory.

Abstract: A method comprises receiving a current instruction for metadata processing performed in a metadata processing domain that is isolated from a code execution domain including the current instruction. The method further comprises determining, by the metadata processing domain in connection with metadata for the current instruction, whether to allow execution of the current instruction in accordance with a set of one or more policies. The one or more policies may include a set of rules that enforces execution of a complete sequence of instructions in a specified order from a first instruction of the complete sequence to a last instruction of the complete sequence. The metadata processing may be implemented by a metadata processing hierarchy comprising a control module, a masking module, a hash module, a rule cache lookup module, and/or an output tag module.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: A system and method of processing instructions may comprise an application processing domain (APD) and a metadata processing domain (MTD). The APD may comprise an application processor executing instructions and providing related information to the MTD. The MTD may comprise a tag processing unit (TPU) having a cache of policy-based rules enforced by the MTD. The TPU may determine, based on policies being enforced and metadata tags and operands associated with the instructions, that the instructions are allowed to execute (i.e., are valid). The TPU may write, if the instructions are valid, the metadata tags to a queue. The queue may (i) receive operation output information from the application processing domain, (ii) receive, from the TPU, the metadata tags, (iii) output, responsive to receiving the metadata tags, resulting information indicative of the operation output information and the metadata tags; and (iv) permit the resulting information to be written to memory.

Abstract: A method includes receiving, for metadata processing, a current instruction with associated metadata tags. The metadata processing is performed in a metadata processing domain isolated from a code execution domain including the current instruction. Each respective associated metadata tag represents a respective policy of the composite policy. For each respective metadata tag, the method includes determining, in the metadata processing domain and in accordance with the metadata tag and the current instruction, whether a rule exists for the current instruction in a rules cache. The rules cache may include rules on metadata used by the metadata processing to define allowed instructions. The determination of whether a rule exists results in a respective output, which may include generating a new rule and inserting the new rule in the rules cache. Control Status Registers, and associated tags, may be used to accomplish the metadata processing.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: A method of and system for performing metadata tag compression in security policy enforcement system may comprise conveying a set of data elements, each with an associated metadata tag, from a first processor subsystem to a second processor subsystem. The first processor subsystem may be configured to process conventional tasks, the second processor configured to apply one or more policy decisions to the data element. The conveying may further comprise sending the set of data elements along with an index element that identifies one or more metadata tags, and sending one or more of the metadata tags identified by the index element.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: Methods, systems, and computer readable media for using variable metadata tags. A method occurs at a metadata processing system for enforcing security policies in a processor architecture. The method comprises: receiving, at the metadata processing system, a tag associated with a word in memory, wherein the tag indicates a memory location containing metadata associated with the word and wherein the tag length is at least in part determined using tag usage frequency; obtaining the metadata from the memory location, and determining, using the metadata, whether the word or a related instruction violates a security policy.

Abstract: A system and method of processing instructions may comprise an application processing domain (APD) and a metadata processing domain (MTD). The APD may comprise an application processor executing instructions and providing related information to the MTD. The MTD may comprise a tag processing unit (TPU) having a cache of policy-based rules enforced by the MTD. The TPU may determine, based on policies being enforced and metadata tags and operands associated with the instructions, that the instructions are allowed to execute (i.e., are valid). The TPU may write, if the instructions are valid, the metadata tags to a queue. The queue may (i) receive operation output information from the application processing domain, (ii) receive, from the TPU, the metadata tags, (iii) output, responsive to receiving the metadata tags, resulting information indicative of the operation output information and the metadata tags; and (iv) permit the resulting information to be written to memory.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: A system and method of processing instructions may comprise an application processing domain (APD) and a metadata processing domain (MTD). The APD may comprise an application processor executing instructions and providing related information to the MTD. The MTD may comprise a tag processing unit (TPU) having a cache of policy-based rules enforced by the MTD. The TPU may determine, based on policies being enforced and metadata tags and operands associated with the instructions, that the instructions are allowed to execute (i.e., are valid). The TPU may write, if the instructions are valid, the metadata tags to a queue. The queue may (i) receive operation output information from the application processing domain, (ii) receive, from the TPU, the metadata tags, (iii) output, responsive to receiving the metadata tags, resulting information indicative of the operation output information and the metadata tags; and (iv) permit the resulting information to be written to memory.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit nay be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: A method comprises receiving a current instruction for metadata processing performed in a metadata processing domain that is isolated from a code execution domain including the current instruction. The method further comprises determining, by the metadata processing domain in connection with metadata for the current instruction, whether to allow execution of the current instruction in accordance with a set of one or more policies. The one or more policies may include a set of rules that enforces execution of a complete sequence of instructions in a specified order from a first instruction of the complete sequence to a last instruction of the complete sequence. The metadata processing may be implemented by a metadata processing hierarchy comprising a control module, a masking module, a hash module, a rule cache lookup module, and/or an output tag module.

Abstract: A method includes receiving, for metadata processing, a current instruction with associated metadata tags. The metadata processing is performed in a metadata processing domain isolated from a code execution domain including the current instruction. Each respective associated metadata tag represents a respective policy of the composite policy. For each respective metadata tag, the method includes determining, in the metadata processing domain and in accordance with the metadata tag and the current instruction, whether a rule exists for the current instruction in a rules cache. The rules cache may include rules on metadata used by the metadata processing to define allowed instructions. The determination of whether a rule exists results in a respective output, which may include generating a new rule and inserting the new rule in the rules cache. Control Status Registers, and associated tags, may be used to accomplish the metadata processing.

Abstract: Methods, systems, and computer readable media for using variable metadata tags. A method occurs at a metadata processing system for enforcing security policies in a processor architecture. The method comprises: receiving, at the metadata processing system, a tag associated with a word in memory, wherein the tag indicates a memory location containing metadata associated with the word and wherein the tag length is at least in part determined using tag usage frequency; obtaining the metadata from the memory location, and determining, using the metadata, whether the word or a related instruction violates a security policy.

Abstract: In an embodiment, a method includes, in a hardware processor, determining, for a processor instruction, a rule for matching a predicted memory tag. The method further includes determining a predicted memory tag based on applying the rule for matching the predicted memory tag. The method further includes determining an R tag based on applying the rule. The method further includes obtaining an actual memory tag from memory based on an operand of the processor instruction. The method further includes determining whether the predicted memory tag and the actual memory tag match. The method further includes, if the predicted memory tag and actual memory tag match, using the R tag as the R tag output.

Abstract: A method includes receiving, for metadata processing, a current instruction with a associated metadata tags. The metadata processing is performed in a metadata processing domain isolated from a code execution domain including the current instruction. Each respective associated metadata tag representing a respective policy of the composite policy. The associated metadata tags further including pointers to tags of a component policy of the composite policy. For each respective metadata tag, the method includes determining, in the metadata processing domain and in accordance with the metadata tag and the current instruction, whether a rule exists in a rule cache for the current instruction. The rule cache including rules on metadata used by said metadata processing to define allowed instructions. The determination of whether a rule exists resulting in a respective output.