Patents by Inventor Baiju V. Patel

Baiju V. Patel has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20190220625
    Abstract: According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.
    Type: Application
    Filed: March 25, 2019
    Publication date: July 18, 2019
    Inventors: David M. Durham, Gilbert Neiger, Barry E. Huntley, Ravi L. Sahita, Baiju V. Patel
  • Publication number: 20190196983
    Abstract: Various embodiments are generally directed to the providing for mutual authentication and secure distributed processing of multi-party data. In particular, an experiment may be submitted to include the distributed processing of private data owned by multiple distrustful entities. Private data providers may authorize the experiment and securely transfer the private data for processing by trusted computing nodes in a pool of trusted computing nodes.
    Type: Application
    Filed: February 28, 2019
    Publication date: June 27, 2019
    Applicant: INTEL CORPORATION
    Inventors: HORMUZD M. KHOSRAVI, Baiju V. Patel
  • Patent number: 10303899
    Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, can verify correctness of the control structures of guest VMs.
    Type: Grant
    Filed: February 28, 2017
    Date of Patent: May 28, 2019
    Assignee: Intel Corporation
    Inventors: David M. Durham, Gilbert Neiger, Barry E. Huntley, Ravi L. Sahita, Baiju V. Patel
  • Patent number: 10255202
    Abstract: Various embodiments are generally directed to the providing for mutual authentication and secure distributed processing of multi-party data. In particular, an experiment may be submitted to include the distributed processing of private data owned by multiple distrustful entities. Private data providers may authorize the experiment and securely transfer the private data for processing by trusted computing nodes in a pool of trusted computing nodes.
    Type: Grant
    Filed: September 30, 2016
    Date of Patent: April 9, 2019
    Assignee: INTEL CORPORATION
    Inventors: Hormuzd M. Khosravi, Baiju V. Patel
  • Publication number: 20190095350
    Abstract: In one embodiment, a cryptographic circuit is adapted to receive a data line including at least an encrypted portion from a memory in response to a read request having a memory address from a first agent, obtain a key identifier for a key of the first agent from the data line, obtain the key using the key identifier, decrypt the at least encrypted portion of the data line using the key and send decrypted data of the at least encrypted portion of the data line to the first agent. Other embodiments are described and claimed.
    Type: Application
    Filed: September 25, 2017
    Publication date: March 28, 2019
    Inventors: David M. Durham, Siddhartha Chhabra, Amy L. Santoni, Gilbert Neiger, Barry E. Huntley, Hormuzd M. Khosravi, Baiju V. Patel, Ravi L. Sahita, Gideon Gerzon, Ido Ouziel, Ioannis T. Schoinas, Rajesh M. Sankaran
  • Publication number: 20190087575
    Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.
    Type: Application
    Filed: September 15, 2017
    Publication date: March 21, 2019
    Inventors: Ravi L. Sahita, Baiju V. Patel, Barry E. Huntley, Gilbert Neiger, Hormuzd M. Khosravi, Ido Ouziel, David M. Durham, Ioannis T. Schoinas, Siddhartha Chhabra, Carlos V. Rozas, Gideon Gerzon
  • Publication number: 20190042764
    Abstract: In a public cloud environment, each consumer's/guest's workload is encrypted in a cloud service provider's (CSP's) server memory using a consumer-provided key unknown to the CSP's workload management software. An encrypted consumer/guest workload image is loaded into the CSP's server memory at a memory location specified by the CSP's workload management software. Based upon the CSP-designated memory location, the guest workload determines expected hardware physical addresses into which memory mapping structures and other types of consumer data should be loaded. These expected hardware physical addresses are specified by the guest workload in a memory ownership table (MOT), which is used to check that subsequently CSP-designated memory mappings are as expected. Memory ownership table entries also may be encrypted by the consumer-provided key unknown to the CSP.
    Type: Application
    Filed: November 10, 2017
    Publication date: February 7, 2019
    Inventors: David M. Durham, Siddhartha Chhabra, Ravi L. Sahita, Barry E. Huntley, Gilbert Neiger, Gideon Gerzon, Baiju V. Patel
  • Publication number: 20180373895
    Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, can verify correctness of the control structures of guest VMs.
    Type: Application
    Filed: February 28, 2017
    Publication date: December 27, 2018
    Inventors: David M. Durham, Gilbert Neiger, Barry E. Huntley, Ravi L. Sahita, Baiju V. Patel
  • Patent number: 10162640
    Abstract: A processor is described having a functional unit within an instruction execution pipeline. The functional unit having circuitry to determine whether substantive data from a larger source data size will fit within a smaller data size that the substantive data is to flow to.
    Type: Grant
    Filed: August 16, 2016
    Date of Patent: December 25, 2018
    Assignee: Intel Corporation
    Inventors: Martin G. Dixon, Baiju V. Patel, Rajeev Gopalakrishna
  • Patent number: 10114768
    Abstract: A processing system includes a processing core and a memory management unit, communicatively coupled to the processing core, comprising a storage device to store a page table entry (PTE) comprising a mapping from a virtual memory page referenced by an application running on the processing core to an identifier of a memory frame of a memory, a first plurality of access permission flags associated with accessing the memory frame under a first privilege mode, and a second plurality of access permission flags associated with accessing the memory under a second privilege mode.
    Type: Grant
    Filed: August 29, 2016
    Date of Patent: October 30, 2018
    Assignee: Intel Corporation
    Inventors: Gur Hildesheim, Gilbert Neiger, Baiju V. Patel, Ron Rais
  • Publication number: 20180285559
    Abstract: The present disclosure is directed to systems and methods for detecting stack-pivot attacks in a processor-based device. Processor circuitry executes one or more applications via sequential execution of instructions on a stack. Stack pivot attacks occur when an attacker takes control of the stack and uses the stack to execute a series of code sections referred to as “gadgets.” A stack-pivot attack detector establishes an allowable processor stack offset change value associated with an application and monitors a processor stack offset change value responsive to an occurrence of a processor stack exchange instruction. A stack-pivot attack is detected when the processor offset change value exceeds the allowable processor stack offset change value. Upon detecting a stack-pivot attack, the stack-pivot detection circuitry causes the selective termination of the application.
    Type: Application
    Filed: March 28, 2017
    Publication date: October 4, 2018
    Inventors: Rodrigo Branco, Xiaoning Li, David M. Durham, Hongliang Gao, Stephen A. Fischer, Baiju V. Patel
  • Patent number: 10089247
    Abstract: One embodiment provides an apparatus. The apparatus includes an input output memory management unit (I/O MMU), a non-secure operating system (OS) driver, a secure OS driver and a virtual machine monitor (VMM). The I/OMMU is to couple an I/O Controller to a memory. The I/O Controller is coupled to a secure device and a non-secure device and has one I/O Controller identifier. The non-secure OS driver is associated with the non-secure device. The secure OS driver is associated with the secure device. The VMM is to allocate a secure address space to a secure OS and a non-secure address space to a non-secure OS. The secure address space is non-overlapping with the non-secure address space.
    Type: Grant
    Filed: September 30, 2016
    Date of Patent: October 2, 2018
    Assignee: Intel Corporation
    Inventors: Nitin V. Sarangdhar, Baiju V. Patel, Tin-Cheung Kung, Joseph F. Cihula, Prashant Sethi, Vinay Kumar Rangineni
  • Publication number: 20180247082
    Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, can verify correctness of the control structures of guest VMs.
    Type: Application
    Filed: February 28, 2017
    Publication date: August 30, 2018
    Inventors: David M. Durham, Gilbert Neiger, Barry E. Huntley, Ravi L. Sahita, Baiju V. Patel
  • Patent number: 9965619
    Abstract: Embodiments of an invention for a return address overflow buffer are disclosed. In one embodiment, a processor includes a stack pointer to store a reference to a first return address stored on a stack, an obscured address stack pointer to store a reference to an encrypted second return address stored in a memory, hardware to decrypt the encrypted second return address to generate a decrypted second return address, and a return address verification logic, responsive to receiving a return instruction, to compare the first return address to the decrypted second return address.
    Type: Grant
    Filed: July 13, 2015
    Date of Patent: May 8, 2018
    Assignee: Intel Corporation
    Inventors: Jason W. Brandt, Vedvyas Shanbhogue, Baiju V. Patel
  • Publication number: 20180095898
    Abstract: Various embodiments are generally directed to the providing for mutual authentication and secure distributed processing of multi-party data. In particular, an experiment may be submitted to include the distributed processing of private data owned by multiple distrustful entities. Private data providers may authorize the experiment and securely transfer the private data for processing by trusted computing nodes in a pool of trusted computing nodes.
    Type: Application
    Filed: September 30, 2016
    Publication date: April 5, 2018
    Applicant: INTEL CORPORATION
    Inventors: HORMUZD M. KHOSRAVI, BAIJU V. PATEL
  • Publication number: 20180095900
    Abstract: One embodiment provides an apparatus. The apparatus includes an input output memory management unit (I/O MMU), a non-secure operating system (OS) driver, a secure OS driver and a virtual machine monitor (VMM). The I/OMMU is to couple an I/O Controller to a memory. The I/O Controller is coupled to a secure device and a non-secure device and has one I/O Controller identifier. The non-secure OS driver is associated with the non-secure device. The secure OS driver is associated with the secure device. The VMM is to allocate a secure address space to a secure OS and a non-secure address space to a non-secure OS. The secure address space is non-overlapping with the non-secure address space.
    Type: Application
    Filed: September 30, 2016
    Publication date: April 5, 2018
    Applicant: INTEL CORPORATION
    Inventors: Nitin V. Sarangdhar, Baiju V. Patel, Tin-Cheung Kung, Joseph F. Cihula, Prashant Sethi, Vinay Kumar Rangineni
  • Publication number: 20180074969
    Abstract: A processing system includes a processing core to execute a virtual machine (VM) comprising a guest operating system (OS) and a memory management unit, communicatively coupled to the processing core, comprising a storage device to store an extended page table entry (EPTE) comprising a mapping from a guest physical address (GPA) associated with the guest OS to an identifier of a memory frame, a first plurality of access right flags associated with accessing the memory frame in a first page mode referenced by an attribute of a memory page identified by the GPA, and a second plurality of access right flags associated with accessing the memory frame in a second page mode referenced by the attribute of the memory page identified by the GPA.
    Type: Application
    Filed: September 9, 2016
    Publication date: March 15, 2018
    Inventors: Gilbert Neiger, Baiju V. Patel, Gur Hildesheim, Ron Rais, Andrew V. Anderson, Jason W. Brandt, David M. Durham, Barry E. Huntley, Raanan Sade, Ravi L. Sahita, Vedvyas Shanbhogue, Arumugam Thiyagarajah
  • Publication number: 20180060250
    Abstract: A processing system includes a processing core and a memory management unit, communicatively coupled to the processing core, comprising a storage device to store a page table entry (PTE) comprising a mapping from a virtual memory page referenced by an application running on the processing core to an identifier of a memory frame of a memory, a first plurality of access permission flags associated with accessing the memory frame under a first privilege mode, and a second plurality of access permission flags associated with accessing the memory under a second privilege mode.
    Type: Application
    Filed: August 29, 2016
    Publication date: March 1, 2018
    Inventors: Gur Hildesheim, Gilbert Neiger, Baiju V. Patel, Ron Rais
  • Patent number: 9875102
    Abstract: Embodiments of the invention provide a method of creating, based on an operating-system-scheduled thread running on an operating-system-visible sequencer and using an instruction set extension, a persistent user-level thread to run on an operating-system-sequestered sequencer independently of context switch activities on the operating-system-scheduled thread. The operating-system-scheduled thread and the persistent user-level thread may share a common virtual address space. Embodiments of the invention may also provide a method of causing a service thread running on an additional operating-system-visible sequencer to provide operating system services to the persistent user-level thread. Embodiments of the invention may further provide apparatus, system, and machine-readable medium thereof.
    Type: Grant
    Filed: December 21, 2016
    Date of Patent: January 23, 2018
    Assignee: Intel Corporation
    Inventors: Gautham Chinya, Hong Wang, Prashant Sethi, Shivnandan Kaushik, Bryant Bigbee, John Shen, Richard Hankins, Xiang Zou, Baiju V. Patel, Jason W. Brandt, Anil Aggarwal, John L. Reid
  • Patent number: 9766891
    Abstract: Embodiments of the invention provide a method of creating, based on an operating-system-scheduled thread running on an operating-system-visible sequencer and using an instruction set extension, a persistent user-level thread to run on an operating-system-sequestered sequencer independently of context switch activities on the operating-system-scheduled thread. The operating-system-scheduled thread and the persistent user-level thread may share a common virtual address space. Embodiments of the invention may also provide a method of causing a service thread running on an additional operating-system-visible sequencer to provide operating system services to the persistent user-level thread. Embodiments of the invention may further provide apparatus, system, and machine-readable medium thereof.
    Type: Grant
    Filed: May 27, 2016
    Date of Patent: September 19, 2017
    Assignee: Intel Corporation
    Inventors: Gautham Chinya, Hong Wang, Prashant Sethi, Shivnandan Kaushik, Bryant Bigbee, John Shen, Richard Hankins, Xiang Zou, Baiju V. Patel, Jason W. Brandt, Anil Aggarwal, John L. Reid