Abstract: A system including at least one processor programmed to identify, based on a policy to be enforced, one or more metadata symbols corresponding to an entity name; identify, from a target description describing a target system, an entity description matching the entity name, wherein the entity description describes an entity of the target system; and apply a metadata label to the entity of the target system, wherein the metadata label is based on the one or more metadata symbols corresponding to the entity name, as identified based on the policy.

Abstract: A system and method of processing instructions may comprise an application processing domain (APD) and a metadata processing domain (MTD). The APD may comprise an application processor executing instructions and providing related information to the MTD. The MTD may comprise a tag processing unit (TPU) having a cache of policy-based rules enforced by the MTD. The TPU may determine, based on policies being enforced and metadata tags and operands associated with the instructions, that the instructions are allowed to execute (i.e., are valid). The TPU may write, if the instructions are valid, the metadata tags to a queue. The queue may (i) receive operation output information from the application processing domain, (ii) receive, from the TPU, the metadata tags, (iii) output, responsive to receiving the metadata tags, resulting information indicative of the operation output information and the metadata tags; and (iv) permit the resulting information to be written to memory.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, satiety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: A method of and system for performing metadata tag compression in security policy enforcement system may comprise conveying a set of data elements, each with an associated metadata tag, from a first processor subsystem to a second processor subsystem. The first processor subsystem may be configured to process conventional tasks, the second processor configured to apply one or more policy decisions to the data element. The conveying may further comprise sending the set of data elements along with an index element that identifies one or more metadata tags, and sending one or more of the metadata tags identified by the index element.

Abstract: A method includes receiving, for metadata processing, a current instruction with a associated metadata tags. The metadata processing is performed in a metadata processing domain isolated from a code execution domain including the current instruction. Each respective associated metadata tag representing a respective policy of the composite policy. The associated metadata tags further including pointers to tags of a component policy of the composite policy. For each respective metadata tag, the method includes determining, in the metadata processing domain and in accordance with the metadata tag and the current instruction, whether a rule exists in a rule cache for the current instruction. The rule cache including rules on metadata used by said metadata processing to define allowed instructions. The determination of whether a rule exists resulting in a respective output.

Abstract: In an embodiment, a method includes, in a hardware processor, determining, for a processor instruction, a rule for matching a predicted memory tag. The method further includes determining a predicted memory tag based on applying the rule for matching the predicted memory tag. The method further includes determining an R tag based on applying the rule. The method further includes obtaining an actual memory tag from memory based on an operand of the processor instruction. The method further includes determining whether the predicted memory tag and the actual memory tag match. The method further includes, if the predicted memory tag and actual memory tag match, using the R tag as the R tag output.

Abstract: A method of enforcing a set of security policies may comprise executing, by a first processor, a first set of processor instructions directed to conventional tasks, and executing, by a second processor, a second set of processor instructions directed to manipulating metadata. The executing by the second processor may comprise (i) evaluating a current instruction being executed by the first processor, along with a metadata tag associated with the current instruction, (ii) identifying a rule in a rule cache that is applicable to the current instruction and the associated metadata tag, and (iii) applying a policy decision to the current instruction according to the rule.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: An exception handling system and method for PC-mapped systems. A support library containing language-independent functions is used to raise exceptions. These functions then use language-dependent callback functions to make inquiries about the stack frames built by the language-dependent code, and to further make callbacks to language-dependent functions to clean up those stack frames. The support library works its way up the function call stack from where an exception was issued, searching for function frames that are interested in the exception. An unwind phase is begun when a function frame that is interested in the exception is found. In the unwind phase, the unwinder attempts to unwind the stack up to the interested frame, restoring callee-saved register values, and other pertinent processor-specific information, such as the stack pointer, and frame register. The unwinder then transfers control to the handler code specified by the interested function.

Abstract: An exception handling system and method for PC-mapped systems. A support library containing language-independent functions is used to raise exceptions. These functions then use language-dependent callback functions to make inquiries about the stack frames built by the language-dependent code, and to further make callbacks to language-dependent functions to clean up those stack frames. The support library works its way up the function call stack from where an exception was issued, searching for function frames that are interested in the exception. An unwind phase is begun when a function frame that is interested in the exception is found. In the unwind phase, the unwinder attempts to unwind the stack up to the interested frame, restoring callee-saved register values, and other pertinent processor-specific information, such as the stack pointer, and frame register. The unwinder then transfers control to the handler code specified by the interested function.