Abstract: Various embodiments include methods and devices for generating a memory map configured to map virtual addresses of pages to physical addresses, in which pages of a same size are grouped into regions. The embodiments may include adding a first entry for a first additional page to a first region in the memory map, shifting virtual addresses of the first region to accommodate a shift of virtual addresses of the first region allocated for code by a sub-page granular shift amount, mapping shifted virtual addresses of the first entry for the first additional page to physical address mapped to a first lowest shifted virtually addressed page of the first region, and shifting the virtual addresses of the first region allocated for code by a sub-page granular shift amount, in which the virtual addresses of the first region allocated for code partially shift into the first entry for the first additional page.

Abstract: A method is provided for safely executing dynamically generated code to avoid the possibility of an attack in unprotected memory space. Upon ascertaining that dynamically generated code is to be executed, a processing circuit and/or operating system kernel restrict the dynamically generated code to use a first memory region within an unprotected memory space, where the first memory region is distinct (e.g., reserved) from other memory regions used by other processes executed by the processing circuit. A first processing stack is maintained for the dynamically generated code within the first memory region. This first processing stack is separate from a general processing stack used by other processes executed by the processing circuit. A stack pointer is switched/pointed to the first processing stack when the dynamically generated code is executed and the stack pointer is switched/pointed to the general processing stack when the dynamically generated code ends.

Abstract: Techniques for managing resources on computing device are provided. An example processor according to these techniques includes a resource management module (RMM) configured to be executed by the processor as an only privileged application on the processor such that the RMM has exclusive control over the allocation of memory resources utilized by the other applications executed by the processor and assignment of access permissions to the memory resources. The RMM is configured to manage the memory resources used by other applications executed by the processor, to group applications into logical compartments, and to enforce separation between the compartments such that resources associated with one compartment are inaccessible to another compartment. The processor may include a memory protection unit (MPU) configured to provide memory protection for memory utilized by the processor, and the RMM can be configured to dynamically configure the MPU regions to enforce separation between compartments.

Abstract: A method is provided for safely executing dynamically generated code to avoid the possibility of an attack in unprotected memory space. Upon ascertaining that dynamically generated code is to be executed, a processing circuit and/or operating system kernel restrict the dynamically generated code to use a first memory region within an unprotected memory space, where the first memory region is distinct (e.g., reserved) from other memory regions used by other processes executed by the processing circuit. A first processing stack is maintained for the dynamically generated code within the first memory region. This first processing stack is separate from a general processing stack used by other processes executed by the processing circuit. A stack pointer is switched/pointed to the first processing stack when the dynamically generated code is executed and the stack pointer is switched/pointed to the general processing stack when the dynamically generated code ends.

Abstract: Several features pertain to computing systems equipped to perform speculative processing and configured to access device memory (e.g. non-speculative or unspeculatable memory) and non-device memory (e.g. speculative or speculatable memory). Malicious attacks may seek to obtain sensitive information from such systems by exploiting speculative code execution. Herein, techniques are described whereby sensitive data is protected from such attacks by placing the data in a page of memory not ordinarily used as device memory, and then designating or marking the page as device memory (e.g. marking the page as unspeculatable). By designating the page as unspeculatable device memory, the processor does not speculatively access the sensitive information (e.g. speculation stops once a branch is invoked that would access the page) and so certain types of attacks can be mitigated.

Abstract: Techniques for mitigating an attack on baseband on a mobile wireless device are provided. An example method according to these techniques includes detecting a network switch event in which the mobile wireless device has disconnected from a first wireless network and connected to a second wireless network, performing an integrity check on one or more components of the mobile wireless device responsive to detecting the network switch event, and performing one or more actions responsive to the integrity check indicating that the one or more components of the mobile wireless device have been modified.

Abstract: A method of producing a control stack includes: writing a plurality of control information entries into a control stack buffer that is internal to a processor in response to one or more function calls; and in response to the control stack buffer being full and receiving a further function call, writing: the plurality of control information entries to an external memory that is external to the processor; and a further control information entry, corresponding to the further function call, to the control stack buffer.

Abstract: Techniques for enforcing flow control of a software program in a processor are provided. An example method according to these techniques includes analyzing program code of the software program to identify a code pointer in the program code, generating an authentication tag based on the code pointer, and modifying the code pointer in the program code with the authentication tag to generate a tagged code pointer.

Abstract: A way is provided to protect memory blocks from unauthorized access from executable instructions by defining various sets of instructions that are specifically bound to operate on defined memory blocks and inhibited from operating in other memory blocks. For instance, executable code may include a plurality of distinct read and write instructions where each read and/or write instruction is specific to one memory access tag from a plurality of different memory access tags. Memory blocks are also established and each memory block is associated with one of the plurality of different memory access tags. Consequently, if a first read and/or write instruction, associated with a first memory access tag, attempts to access a memory block associated with a different memory access tag, then execution of the first read and/or write instruction is inhibited or aborted.

Abstract: A method of producing a control stack includes: writing a plurality of control information entries into a control stack buffer that is internal to a processor in response to one or more function calls; and in response to the control stack buffer being full and receiving a further function call, writing: the plurality of control information entries to an external memory that is external to the processor; and a further control information entry, corresponding to the further function call, to the control stack buffer.

Abstract: Techniques for enforcing flow control of a software program in a processor are provided. An example method according to these techniques includes analyzing program code of the software program to identify a code pointer in the program code, generating an authentication tag based on the code pointer, and modifying the code pointer in the program code with the authentication tag to generate a tagged code pointer.