Abstract: Sensitive data is stored in a secure buffer, and never in an unencrypted, accessible location at any time. The data is accessed only by low-level processor instructions that load only a portion of the data into processor registers. The portion of data can then be used before the next portion of data is transferred from the secure buffer into the processor registers. In some embodiments, only one portion is available at any time. In other embodiments, a number of portions may be available at one time. However, the entirety of the sensitive data is never present in the clear. Thus, the entirety of the sensitive data will never be available if an adversary gains access to the contents of memory.

Abstract: A mechanism for redirecting a code execution path in a running process. A one-byte interrupt instruction (e.g., INT 3) is inserted into the code path. The interrupt instruction passes control to a kernel handler, which after executing a replacement function, returns to continue executing the process. The replacement function resides in a memory space that is accessible to the kernel handler. The redirection mechanism may be applied without requiring a reboot of the computing device on which the running process is executing. In addition, the redirection mechanism may be applied without overwriting more than one byte in the original code.