Patents by Inventor David M. Durham

David M. Durham has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10452848
    Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes scan manager to identify a physical memory address that has recently been accessed. The physical memory address is identified as having been recently accessed when an access has occurred within a threshold of a current time. The apparatus also includes a scanner to scan a threshold amount of memory beginning at the physical memory address, and determine whether the memory included in the threshold amount of memory includes a pattern indicative of malware.
    Type: Grant
    Filed: October 30, 2017
    Date of Patent: October 22, 2019
    Assignee: Intel Corporation
    Inventors: Michael LeMay, David M. Durham, Men Long
  • Publication number: 20190319781
    Abstract: There is disclosed in one example a microprocessor, including: an execution unit; a memory integrity engine (MIE) including a key rotation engine to rotate encryption keys for a secure memory region; and a memory hash register (MHR) to maintain a hash of a secure memory region state.
    Type: Application
    Filed: June 27, 2019
    Publication date: October 17, 2019
    Applicant: Intel Corporation
    Inventors: Siddhartha Chhabra, David M. Durham
  • Publication number: 20190296893
    Abstract: Various embodiments are generally directed to techniques for converting between different cipher systems, such as, for instance, between a cipher system used for a first encryption environment and a different cipher system used for a second encryption environment, for instance. Some embodiments are particularly directed to an encryption engine that supports memory operations between two or more encryption environments. Each encryption environment can use different cipher systems while the encryption engine can translate ciphertext between the different cipher systems. In various embodiments, for instance, the first encryption environment may include a main memory that uses a position dependent cipher system and the second encrypted environment may include a secondary memory that uses a position independent cipher system.
    Type: Application
    Filed: May 30, 2019
    Publication date: September 26, 2019
    Applicant: INTEL CORPORATION
    Inventors: SIDDHARTHA CHHABRA, DAVID M. DURHAM
  • Publication number: 20190278525
    Abstract: Various embodiments are generally directed to techniques for encrypting stored data. An apparatus includes a processor component comprising a cache that comprises a cache line to store a first block of data corresponding to a second block of encrypted data stored within a storage; a compressor to compress the data within the first block to generate compressed data within the first block to clear sufficient storage space within the first block to store metadata associated with generation of the second block of encrypted data from the first block in response to eviction of the first block from the cache line; and an encrypter to encrypt the compressed data within the first block to generate the encrypted data within the second block and to store encryption metadata associated with encrypting the compressed data within the second block as a portion of the metadata associated with the generation of the second block.
    Type: Application
    Filed: May 23, 2019
    Publication date: September 12, 2019
    Applicant: INTEL CORPORATION
    Inventors: SIDDHARTHA CHHABRA, DAVID M. DURHAM
  • Patent number: 10402574
    Abstract: Various embodiments are generally directed to techniques for multi-domain memory encryption, such as with a plurality of cryptographically isolated domains, for instance. Some embodiments are particularly directed to a multi-domain encryption system that provides one or more of memory encryption, integrity, and replay protection services to a plurality of cryptographic domains. In one embodiment, for example, an apparatus may comprise a memory and logic for an encryption engine, at least a portion of the logic implemented in circuitry coupled to the memory. In various embodiments, the logic may receive a memory operation request associated with a data line of a set of data lines stored in a protected memory separate from the memory.
    Type: Grant
    Filed: December 30, 2016
    Date of Patent: September 3, 2019
    Assignee: INTEL CORPORATION
    Inventors: Siddhartha Chhabra, David M. Durham
  • Patent number: 10387305
    Abstract: Techniques and computing devices for compression memory coloring are described. In one embodiment, for example, an apparatus may include at least one memory, at least on processor, and logic for compression memory coloring, at least a portion of the logic comprised in hardware coupled to the at least one memory and the at least one processor, the logic to determine whether data to be written to memory is compressible, generate a compressed data element responsive to determining data is compressible, the data element comprising a compression indicator, a color, and compressed data, and write the compressed data element to memory. Other embodiments are described and claimed.
    Type: Grant
    Filed: December 23, 2016
    Date of Patent: August 20, 2019
    Assignee: INTEL CORPORATION
    Inventors: David M. Durham, Sergej Deutsch, Saeedeh Komijani, Alpa T. Narendra Trivedi, Siddhartha Chhabra
  • Patent number: 10372628
    Abstract: Solutions for secure memory access in a computing platform, include a multi-key encryption (MKE) engine as part of the memory interface between processor core(s) and memory of a computing platform. The processor core(s) perform workloads, each utilizing allocated portions of memory. The MKE engine performs key-based cryptography operations on data to isolate portions of the memory from workloads to which those portions of the memory are not allocated. A key-mapping data store is accessible to the MKE engine and contains associations between identifiers of portions of the memory, and corresponding key identification data from which cryptographic keys are obtained. A key tracking log is maintained by the MKE engine, and the MKE engine temporarily stores entries in the key tracking log containing the identifiers of the portions of the memory and key identification data for those portions of memory during memory-access operations of those portions of memory.
    Type: Grant
    Filed: September 29, 2017
    Date of Patent: August 6, 2019
    Assignee: Intel Corporation
    Inventors: Siddhartha Chhabra, David M. Durham
  • Publication number: 20190238560
    Abstract: Systems and method to provide secure storage are disclosed. An example method includes establishing a secure tunnel between a storage device and an agent, provide a command from the agent to the storage device via the secure tunnel, access first data at the storage device in response to the command, and identify a modification to data stored on the storage device by comparing the first data to second data, wherein the comparison is done using the storage device.
    Type: Application
    Filed: August 29, 2018
    Publication date: August 1, 2019
    Inventors: Nicholas D. Triantafillou, Paritosh Saxena, Paul J. Thadikaran, David M. Durham
  • Publication number: 20190229924
    Abstract: In one example a computer implemented method comprises encrypting data to be stored in a protected region of a memory using a message authentication code (MAC) having a first value determined using a first key during a first period of time, generating a replay integrity tree structure comprising security metadata for the data stored in the protected region of the memory using the first value of the MAC, and at the end of the first period of time, re-keying the MAC to have a second value determined using a second key at the end of the first period of time, decrypting the data stored in the protected region using the first value for the MAC, re-encrypting the data stored in the protected region using the second value for the MAC, and updating the replay integrity tree using the second value for the MAC. Other examples may be described.
    Type: Application
    Filed: March 28, 2019
    Publication date: July 25, 2019
    Applicant: Intel Corporation
    Inventors: Siddhartha Chhabra, Rajat Agarwal, David M. Durham
  • Publication number: 20190229925
    Abstract: The present disclosure is directed to systems and methods for the secure transmission of plaintext data blocks encrypted using a NIST standard encryption to provide a plurality of ciphertext data blocks, and using the ciphertext data blocks to generate a Galois multiplication-based authentication tag and parity information that is communicated in parallel with the ciphertext blocks and provides a mechanism for error detection, location and correction for a single ciphertext data block or a plurality of ciphertext data blocks included on a storage device. The systems and methods include encrypting a plurality of plaintext blocks to provide a plurality of ciphertext blocks. The systems and methods include generating a Galois Message Authentication Code (GMAC) authentication tag and parity information using the ciphertext blocks.
    Type: Application
    Filed: March 29, 2019
    Publication date: July 25, 2019
    Inventors: Michael Kounavis, Sergej Deutsch, David M. Durham, Karanvir Grewal
  • Publication number: 20190227951
    Abstract: Embodiments are directed to memory protection with hidden inline metadata. An embodiment of an apparatus includes processor cores; a computer memory for the storage of data; and cache memory communicatively coupled with one or more of the processor cores, wherein one or more processor cores of the plurality of processor cores are to implant hidden inline metadata in one or more cachelines for the cache memory, the hidden inline metadata being hidden at a linear address level.
    Type: Application
    Filed: March 29, 2019
    Publication date: July 25, 2019
    Applicant: Intel Corporation
    Inventors: David M. Durham, Ron Gabor
  • Publication number: 20190220625
    Abstract: According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.
    Type: Application
    Filed: March 25, 2019
    Publication date: July 18, 2019
    Inventors: David M. Durham, Gilbert Neiger, Barry E. Huntley, Ravi L. Sahita, Baiju V. Patel
  • Publication number: 20190220349
    Abstract: In one example a computer implemented method comprises generating an error correction code for a memory line, the memory line comprising a first plurality of data blocks, wherein the error correction code comprises a first plurality of parity bits and a second plurality of parity bits, applying a domain-specific function to the second plurality of parity bits to generate a modified block of parity bits, generating a metadata block corresponding to the memory line, wherein the metadata block comprises the error correction code for the memory line and at least a portion of the modified block of parity bits, encoding the first plurality of data blocks and the metadata block to generate a first encoded data set, and providing the encoded data set and the encoded metadata block for storage on a memory module. Other examples may be described.
    Type: Application
    Filed: March 28, 2019
    Publication date: July 18, 2019
    Applicant: Intel Corporation
    Inventors: SERGEJ DEUTSCH, WEI WU, DAVID M. DURHAM, KARANVIR GREWAL
  • Publication number: 20190213143
    Abstract: The presently disclosed method and apparatus for sharing security metadata memory space proposes a technique to allow metadata sharing two different encryption techniques. A section of memory encrypted using a first type of encryption and having first security metadata associated therewith is converted to a section of memory encrypted using a second type of encryption and having second security metadata associated therewith. At least a portion of said first security metadata shares a memory space with at least a portion of said second security metadata for a same section of memory.
    Type: Application
    Filed: September 30, 2016
    Publication date: July 11, 2019
    Applicant: Intel Corporation
    Inventors: SIDDHARTHA CHHABRA, DAVID M. DURHAM
  • Patent number: 10346318
    Abstract: Embodiments of apparatus, method, and storage medium associated with multi-stage memory integrity for securing/protecting memory content are described herein. In some embodiments, an apparatus may include multiple stages having respective encryption engines to encrypt data in response to a write or restore operation; wherein the encryption engines are to successively encrypt the data in a plurality of encryption stages using a plurality of tweaks based on a plurality of selectors of different types {s1, s2, . . . }. In embodiments, the multiple stages may further comprise one or more decryption engines to partially, fully, or pseudo decrypt the plural encrypted data, in response to a read, move or copy operation; wherein the one or more decryption engines are to partially, fully, or pseudo decrypt the plural encrypted data in one or more decryption stages using one or more tweaks based on a subset of the selectors of different types {s1, s2, . . . }.
    Type: Grant
    Filed: September 13, 2016
    Date of Patent: July 9, 2019
    Assignee: Intel Corporation
    Inventors: Sergej Deutsch, David M. Durham, Karanvir S. Grewal, Michael E. Kounavis
  • Patent number: 10341087
    Abstract: Various embodiments are generally directed to techniques for converting between different cipher systems, such as, for instance, between a cipher system used for a first encryption environment and a different cipher system used for a second encryption environment, for instance. Some embodiments are particularly directed to an encryption engine that supports memory operations between two or more encryption environments. Each encryption environment can use different cipher systems while the encryption engine can translate ciphertext between the different cipher systems. In various embodiments, for instance, the first encryption environment may include a main memory that uses a position dependent cipher system and the second encrypted environment may include a secondary memory that uses a position independent cipher system.
    Type: Grant
    Filed: December 29, 2016
    Date of Patent: July 2, 2019
    Assignee: INTEL CORPORATION
    Inventors: Siddhartha Chhabra, David M. Durham
  • Patent number: 10324863
    Abstract: Generally, this disclosure provides systems, methods and computer readable media for a protected memory view in a virtual machine (VM) environment enabling nested page table access by trusted guest software outside of VMX root mode. The system may include an editor module configured to provide access to a nested page table structure, by operating system (OS) kernel components and by user space applications within a guest of the VM, wherein the nested page table structure is associated with one of the protected memory views. The system may also include a page handling processor configured to secure that access by maintaining security information in the nested page table structure.
    Type: Grant
    Filed: June 24, 2013
    Date of Patent: June 18, 2019
    Assignee: Intel Corporation
    Inventors: Michael Lemay, David M. Durham, Ravi L. Sahita, Andrew V. Anderson
  • Patent number: 10318733
    Abstract: Various embodiments are generally directed to techniques for detecting malware in a manner that mitigates the consumption of processing and/or storage resources of a processing device. An apparatus may include a first processor component of a processing device to generate entries in a chronological order within a first page modification log maintained within a first storage divided into multiple pages, each entry to indicate a write access made by the first processor component to a page of the multiple pages; a retrieval component of a graphics controller of the processing device to recurringly retrieve indications from the first page modification log of at least one recently written page of the multiple pages; and a scan component of the graphics controller to recurringly scan the at least one recently written page to detect malware within the at least one recently written page.
    Type: Grant
    Filed: November 13, 2017
    Date of Patent: June 11, 2019
    Assignee: INTEL CORPORATION
    Inventors: Michael Lemay, David M. Durham
  • Patent number: 10310774
    Abstract: Various embodiments are generally directed to techniques for encrypting stored data. An apparatus includes a processor component comprising a cache that comprises a cache line to store a first block of data corresponding to a second block of encrypted data stored within a storage; a compressor to compress the data within the first block to generate compressed data within the first block to clear sufficient storage space within the first block to store metadata associated with generation of the second block of encrypted data from the first block in response to eviction of the first block from the cache line; and an encrypter to encrypt the compressed data within the first block to generate the encrypted data within the second block and to store encryption metadata associated with encrypting the compressed data within the second block as a portion of the metadata associated with the generation of the second block.
    Type: Grant
    Filed: December 24, 2015
    Date of Patent: June 4, 2019
    Assignee: INTEL CORPORATION
    Inventors: Siddhartha Chhabra, David M. Durham
  • Patent number: 10303899
    Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, can verify correctness of the control structures of guest VMs.
    Type: Grant
    Filed: February 28, 2017
    Date of Patent: May 28, 2019
    Assignee: Intel Corporation
    Inventors: David M. Durham, Gilbert Neiger, Barry E. Huntley, Ravi L. Sahita, Baiju V. Patel