Patents by Inventor Baruch Chaikin

Baruch Chaikin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10489308
    Abstract: Various systems and methods for detecting and preventing side-channel attacks, including attacks aimed at discovering the location of KASLR-randomized privileged code sections in virtual memory address space, are described. In an example, a computing system includes electronic operations for detecting unauthorized attempts to access kernel virtual memory pages via trap entry detection, with operations including: generating a trap page with a physical memory address; assigning a phantom page at an open location in the privileged portion of the virtual memory address space; generating a plurality of phantom page table entries corresponding to an otherwise-unmapped privileged virtual memory region; placing the trap page in physical memory and placing the phantom page table entry in a page table map; and detecting an access to the trap page via the phantom page table entry, to trigger a response to a potential attack.
    Type: Grant
    Filed: June 29, 2017
    Date of Patent: November 26, 2019
    Assignee: Intel Corporation
    Inventors: Uri Bear, Gyora Benedek, Baruch Chaikin, Jacob Jack Doweck, Reuven Elbaum, Dimitry Kloper, Elad Peer, Chaim Shen-orr, Yonatan Shlomovich
  • Publication number: 20190213330
    Abstract: The present disclosure is directed to systems and methods of detecting a side-channel attack detecting a translation lookaside buffer (TLB) miss on a virtual address lookup caused by the speculative execution of an instruction and determining that the physical memory address associated with the virtual address lookup contains a privileged object or a secret object. Range register circuitry determines whether the physical memory address is located in an address range containing privileged objects or secret objects. Performance monitoring counter circuitry receives information indicative of the TLB miss and information indicative that the physical memory address contains a privileged object or a secret object. The PMC circuitry generates an interrupt in response to receipt of information indicative of the TLB miss and information indicative that the physical memory address contains a privileged object or a secret object.
    Type: Application
    Filed: March 15, 2019
    Publication date: July 11, 2019
    Applicant: Intel Corporation
    Inventors: CHAIM SHEN-ORR, BARUCH CHAIKIN, AHMAD YASIN, REUVEN ELBAUM
  • Patent number: 10339327
    Abstract: Technologies for securely binding a manifest to a platform include a computing device having a security engine and a field-programmable fuse. The computing device receives a platform manifest indicative of a hardware configuration of the computing device and a manifest hash. The security engine of the computing device blows a bit of a field programmable fuse and then stores the manifest hash and a counter value of the field-programmable fuse in integrity-protected non-volatile storage. In response to a platform reset, the security engine verifies the stored manifest hash and counter value and then determines whether the stored counter value matches the field-programmable fuse. If verified and current, trusted software may calculate a hash of the platform manifest and compare the calculated hash to the stored manifest hash. If matching, the platform manifest may be used to discover platform hardware. Other embodiments are described and claimed.
    Type: Grant
    Filed: June 20, 2017
    Date of Patent: July 2, 2019
    Assignee: Intel Corporation
    Inventors: Pradeep M. Pappachan, Reshma Lal, Siddhartha Chhabra, Gideon Gerzon, Baruch Chaikin, Bin Xing, William A. Stevens, Jr.
  • Patent number: 10216662
    Abstract: Embodiments of systems, apparatuses, and methods for remote action handling are describe. In an embodiment, a hardware apparatus comprises: a first register to store a memory address of a payload corresponding to an action to be performed associated with a remote action request (RAR) interrupt, a second register to store a memory address of an action list accessible by a plurality of processors, and a remote action handler circuit to identify a received RAR interrupt, perform an action of the received RAR interrupt, and signal acknowledgment to an initiating processor upon completion of the action.
    Type: Grant
    Filed: September 26, 2015
    Date of Patent: February 26, 2019
    Assignee: Intel Corporation
    Inventors: Michael Mishaeli, Ido Ouziel, Baruch Chaikin, Yoav Zach
  • Publication number: 20190042766
    Abstract: In one embodiment, an apparatus includes: a memory encryption circuit to encrypt data from a protected device, the data to be stored to a memory; and a filter circuit coupled to the memory encryption circuit, the filter circuit including a plurality of filter entries, each filter entry to store a channel identifier corresponding to a protected device, an access control policy for the protected device, and a session encryption key provided by an enclave, the enclave permitted to access the data according to the access control policy, where the filter circuit is to receive the session encryption key from the enclave in response to validation of the enclave. Other embodiments are described and claimed.
    Type: Application
    Filed: August 27, 2018
    Publication date: February 7, 2019
    Inventors: Pradeep M. Pappachan, Siddhartha Chhabra, Bin Xing, Reshma Lal, Baruch Chaikin
  • Publication number: 20190042467
    Abstract: Examples include a processor including at least one untrusted extended page table (EPT), circuitry to execute a set of instructions of the instruction set architecture (ISA) of the processor to manage at least one secure extended page table (SEPT), and a physical address translation component to translate a guest physical address of a guest physical memory to a host physical address of a host physical memory using one of the at least one untrusted EPT and the at least one SEPT.
    Type: Application
    Filed: June 29, 2018
    Publication date: February 7, 2019
    Inventors: Ravi SAHITA, Barry E. HUNTLEY, Vedvyas SHANBHOGUE, Dror CASPI, Baruch CHAIKIN, Gilbert NEIGER, Arie AHARON, Arumugam THIYAGARAJAH
  • Publication number: 20190004972
    Abstract: Various systems and methods for detecting and preventing side-channel attacks, including attacks aimed at discovering the location of KASLR-randomized privileged code sections in virtual memory address space, are described. In an example, a computing system includes electronic operations for detecting unauthorized attempts to access kernel virtual memory pages via trap entry detection, with operations including: generating a trap page with a physical memory address; assigning a phantom page at an open location in the privileged portion of the virtual memory address space; generating a plurality of phantom page table entries corresponding to an otherwise-unmapped privileged virtual memory region; placing the trap page in physical memory and placing the phantom page table entry in a page table map; and detecting an access to the trap page via the phantom page table entry, to trigger a response to a potential attack.
    Type: Application
    Filed: June 29, 2017
    Publication date: January 3, 2019
    Inventors: Uri Bear, Gyora Benedek, Baruch Chaikin, Jacob Jack Doweck, Reuven Elbaum, Dimitry Kloper, Elad Peer, Chaim Shen-orr, Yonatan Shlomovich
  • Patent number: 10169574
    Abstract: An embodiment includes a processor coupled to memory to perform operations comprising: creating a first trusted execution environment (TXE), in protected non-privileged user address space of the memory, which makes a first measurement for at least one of first data and first executable code and which encrypts the first measurement with a persistent first hardware based encryption key while the first measurement is within the first TXE; creating a second TXE, in the non-privileged user address space, which makes a second measurement for at least one of second data and second executable code; creating a third TXE in the non-privileged user address space; creating a first secure communication channel between the first and third TXEs and a second secure communication channel between the second and third TXEs; and communicating the first measurement between the first and third TXEs via the first secure communication channel. Other embodiments are described herein.
    Type: Grant
    Filed: February 28, 2018
    Date of Patent: January 1, 2019
    Assignee: Intel Corporation
    Inventors: Nadav Nesher, Alex Berenzon, Baruch Chaikin
  • Publication number: 20180189482
    Abstract: An embodiment includes a processor coupled to memory to perform operations comprising: creating a first trusted execution environment (TXE), in protected non-privileged user address space of the memory, which makes a first measurement for at least one of first data and first executable code and which encrypts the first measurement with a persistent first hardware based encryption key while the first measurement is within the first TXE; creating a second TXE, in the non-privileged user address space, which makes a second measurement for at least one of second data and second executable code; creating a third TXE in the non-privileged user address space; creating a first secure communication channel between the first and third TXEs and a second secure communication channel between the second and third TXEs; and communicating the first measurement between the first and third TXEs via the first secure communication channel. Other embodiments are described herein.
    Type: Application
    Filed: February 28, 2018
    Publication date: July 5, 2018
    Inventors: Nadav Nesher, Alex Berenzon, Baruch Chaikin
  • Patent number: 9940456
    Abstract: An embodiment includes a processor coupled to memory to perform operations comprising: creating a first trusted execution environment (TXE), in protected non-privileged user address space of the memory, which makes a first measurement for at least one of first data and first executable code and which encrypts the first measurement with a persistent first hardware based encryption key while the first measurement is within the first TXE; creating a second TXE, in the non-privileged user address space, which makes a second measurement for at least one of second data and second executable code; creating a third TXE in the non-privileged user address space; creating a first secure communication channel between the first and third TXEs and a second secure communication channel between the second and third TXEs; and communicating the first measurement between the first and third TXEs via the first secure communication channel. Other embodiments are described herein.
    Type: Grant
    Filed: December 16, 2014
    Date of Patent: April 10, 2018
    Assignee: Intel Corporation
    Inventors: Nadav Nesher, Alex Berenzon, Baruch Chaikin
  • Publication number: 20170364707
    Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.
    Type: Application
    Filed: June 20, 2017
    Publication date: December 21, 2017
    Inventors: Reshma Lal, Gideon Gerzon, Baruch Chaikin, Siddhartha Chhabra, Pradeep M. Pappachan, Bin Xing
  • Publication number: 20170364689
    Abstract: Technologies for securely binding a manifest to a platform include a computing device having a security engine and a field-programmable fuse. The computing device receives a platform manifest indicative of a hardware configuration of the computing device and a manifest hash. The security engine of the computing device blows a bit of a field programmable fuse and then stores the manifest hash and a counter value of the field-programmable fuse in integrity-protected non-volatile storage. In response to a platform reset, the security engine verifies the stored manifest hash and counter value and then determines whether the stored counter value matches the field-programmable fuse. If verified and current, trusted software may calculate a hash of the platform manifest and compare the calculated hash to the stored manifest hash. If matching, the platform manifest may be used to discover platform hardware. Other embodiments are described and claimed.
    Type: Application
    Filed: June 20, 2017
    Publication date: December 21, 2017
    Inventors: Pradeep M. Pappachan, Reshma Lal, Siddhartha Chhabra, Gideon Gerzon, Baruch Chaikin, Bin Xing, William A. Stevens, JR.
  • Publication number: 20170091128
    Abstract: Embodiments of systems, apparatuses, and methods for remote action handling are describe. In an embodiment, a hardware apparatus comprises: a first register to store a memory address of a payload corresponding to an action to be performed associated with a remote action request (RAR) interrupt, a second register to store a memory address of an action list accessible by a plurality of processors, and a remote action handler circuit to identify a received RAR interrupt, perform an action of the received RAR interrupt, and signal acknowledgment to an initiating processor upon completion of the action.
    Type: Application
    Filed: September 26, 2015
    Publication date: March 30, 2017
    Inventors: Michael Mishaeli, Ido Ouziel, Baruch Chaikin, Yoav Zach
  • Publication number: 20160171248
    Abstract: An embodiment includes a processor coupled to memory to perform operations comprising: creating a first trusted execution environment (TXE), in protected non-privileged user address space of the memory, which makes a first measurement for at least one of first data and first executable code and which encrypts the first measurement with a persistent first hardware based encryption key while the first measurement is within the first TXE; creating a second TXE, in the non-privileged user address space, which makes a second measurement for at least one of second data and second executable code; creating a third TXE in the non-privileged user address space; creating a first secure communication channel between the first and third TXEs and a second secure communication channel between the second and third TXEs; and communicating the first measurement between the first and third TXEs via the first secure communication channel. Other embodiments are described herein.
    Type: Application
    Filed: December 16, 2014
    Publication date: June 16, 2016
    Inventors: Nadav Nesher, Alex Berenzon, Baruch Chaikin
  • Publication number: 20110016290
    Abstract: In one embodiment, a method includes receiving control of a first processor transitioned from a virtual machine due to a privileged event pertaining to a translation-lookaside buffer, and determining which entries in a guest translation data structure were modified by the virtual machine. The determination is made based on metadata extracted from a shadow translation data structure maintained by a virtual machine monitor and attributes associated with entries in the shadow translation data structure. The metadata includes an active entry list identifying mappings that map pages used by a guest operating system in forming the guest translation data structure.
    Type: Application
    Filed: July 14, 2009
    Publication date: January 20, 2011
    Inventors: Arie Chobotaro, Rinat Rappoport, Andrew V. Anderson, Baruch Chaikin