Abstract: A hardware framework for cyber-deception operations provides flexibility in formulating counterattacks and leverages hardware support for efficiency. Hardware-assisted deception primitives are provided at kernel crossing boundaries to privileged system features that propel the security defenses to dynamically manipulate the malware execution and present a deceptive view of the system state to the attackers. Malware may be in the form of various attack vectors including ransomware, infostealers, buffer overflow, and side-channels.

Abstract: A system for defending against a side channel attack. The system includes a reuse distance buffer configured to measure one or more reuse distances for a microarchitecture block according to information of marker candidates and information of target events of a microarchitecture block; and a defense actuator configured to determine existence of a side channel attack in the microarchitecture block according to the one or more reuse distances for the microarchitecture block.

Abstract: A system and method for defense against cache timing channel attacks using cache management hardware is provided. Sensitive information leakage is a growing security concern exacerbated by shared hardware structures in computer processors. Recent studies have shown how adversaries can exploit cache timing channel attacks to exfiltrate secret information. To effectively guard computing systems against such attacks, embodiments disclosed herein provide practical defense techniques that are readily deployable and introduce only minimal performance overhead. In this regard, a new protection framework against cache timing channel attacks is provided herein by leveraging commercial off-the-shelf (COTS) hardware support in processor caches, including last level caches (LLC), for cache monitoring and partitioning. This framework applies signal processing techniques on per-domain cache occupancy data to identify suspicious application contexts.

Abstract: An improved apparatus and method for the protection of reset in systems with stringent safety goals that employ primary and shadow logic blocks with a lock-step checker to achieve functional safety, including those systems having very large fanout of primary and shadow reset signal trees. The disclosed apparatus and method support assertion of reset that is asynchronous to the system clock and deassertion of reset that is synchronous to the system clock. Shadow logic blocks have reset deasserted a fixed number of clock cycles after their respective primary logic blocks, thereby avoiding the requirement to synchronize the primary and shadow reset signal trees at each of their end points to ensure lock-step operation between the primary and shadow logic blocks.

Abstract: A system for defending against a side channel attack. The system includes a reuse distance buffer configured to measure one or more reuse distances for a microarchitecture block according to information of marker candidates and information of target events of a microarchitecture block; and a defense actuator configured to determine existence of a side channel attack in the microarchitecture block according to the one or more reuse distances for the microarchitecture block.

Abstract: Various implementations described herein refer to an integrated circuit having first clock circuitry that receives a first clock signal and provides sampled offset pulses associated with the first clock signal when enabled with enable signals. The integrated circuit may include second clock circuitry that receives a second clock signal and provides the enable signals to the first clock circuitry based on the second clock signal. The integrated circuit may include fault detector circuitry that receives the sampled offset pulses from the first clock circuitry, receives the enable signals from the second clock circuitry, and provides one or more error flags for detected faults of the first clock signal based on the sampled offset pulses from the first clock circuitry and based on the enable signals from the second clock circuitry.

Abstract: Various implementations described herein refer to an integrated circuit having first clock circuitry that receives a first clock signal and provides sampled offset pulses associated with the first clock signal when enabled with enable signals. The integrated circuit may include second clock circuitry that receives a second clock signal and provides the enable signals to the first clock circuitry based on the second clock signal. The integrated circuit may include fault detector circuitry that receives the sampled offset pulses from the first clock circuitry, receives the enable signals from the second clock circuitry, and provides one or more error flags for detected faults of the first clock signal based on the sampled offset pulses from the first clock circuitry and based on the enable signals from the second clock circuitry.

Abstract: A system and method for defense against cache timing channel attacks using cache management hardware is provided. Sensitive information leakage is a growing security concern exacerbated by shared hardware structures in computer processors. Recent studies have shown how adversaries can exploit cache timing channel attacks to exfiltrate secret information. To effectively guard computing systems against such attacks, embodiments disclosed herein provide practical defense techniques that are readily deployable and introduce only minimal performance overhead. In this regard, a new protection framework against cache timing channel attacks is provided herein by leveraging commercial off-the-shelf (COTS) hardware support in processor caches, including last level caches (LLC), for cache monitoring and partitioning. This framework applies signal processing techniques on per-domain cache occupancy data to identify suspicious application contexts.

Abstract: Various implementations described herein refer to an integrated circuit having a clock generator providing a clock signal. The integrated circuit may include a block having a block boundary, and the block receives the clock signal from the clock generator and provides the clock signal along a clock-tree. The integrated circuit may include a plurality of sub-blocks disposed within the block boundary of the block, and each sub-block of the plurality of sub-blocks receives the clock signal from within the block boundary of the block via the clock-tree, and diverges the clock signal into a first clock signal and a second clock signal from within a sub-block boundary of each sub-block.

Abstract: A method and apparatus for controlling direct memory transfer (DMT) in a data processing system with mismatched bus-widths in which a home node automatically determines, from a read request received from a requestor node, whether DMT should be enabled or disabled dependent on the bus-widths of the requestor node and a target slave node and on the size of the access. Optionally, when the slave node has a smaller bus width than the requestor node, a data combiner at an upload port for the target slave node merges two or more data beats of requested data received from the target slave node to form a single wider beat and transmits the single wider beat to the requestor node. A counter may be used to determine when a data buffer in the data combiner has sufficient space to store data beats to be merged.

Abstract: A method and apparatus for controlling direct memory transfer (DMT) in a data processing system with mismatched bus-widths in which a home node automatically determines, from a read request received from a requestor node, whether DMT should be enabled or disabled dependent on the bus-widths of the requestor node and a target slave node and on the size of the access. Optionally, when the slave node has a smaller bus width than the requestor node, a data combiner at an upload port for the target slave node merges two or more data beats of requested data received from the target slave node to form a single wider beat and transmits the single wider beat to the requestor node. A counter may be used to determine when a data buffer in the data combiner has sufficient space to store data beats to be merged.

Abstract: A system detects a covert timing channel on a combinational structure or a memory structure. The system identifies the events behind conflicts, and constructs an event train based on those events. For combinational structures, the system detects recurrent burst patterns in the event train. The system determines that a covert timing channel exists on the combinational structure if a recurrent burst pattern is detected. For memory structures, the system detects oscillatory patterns in the event train. The system determines that a covert timing channel exists on the memory structure if an oscillatory pattern is detected.

Abstract: Techniques described herein improve processor performance in situations where a large number of system service requests are being received from other devices. More specifically, upon detecting that certain operating conditions that indicate a processor slowdown are present, the processor performs one or more system service adjustment techniques. These techniques include throttling (reducing the rate of handling) of such requests, coalescing (grouping multiple requests into a single group) the requests, disabling microarchitctural structures (such as caches or branch prediction units) or updates to those structures, and prefetching data for or pre-performing these requests. Each of these adjustment techniques helps to reduce the number of and/or workload associated with servicing requests for system services.

Abstract: A bridging circuit and method of operation thereof, which couples first and second electronic circuits of a data processing system. The first electronic circuit generates signals corresponding to digits of a flow control unit (flit) of a first flow control protocol and where the second electronic circuit is responsive to signals corresponding to flits of a second flow control protocol. When first flits are destined for the same target buffer, they are combined to provide a second flit consistent with the second flow control protocol and transmitting the second flit to the second electronic circuit. The second flit includes data and metadata fields copied from the first flits, a common field common to each of the first flits, a merged field containing a merger of fields from the first flits and a validity field indicating which portions of the second flit contain valid data.

Abstract: A bridging circuit and method of operation thereof, which couples first and second electronic circuits of a data processing system. The first electronic circuit generates signals corresponding to digits of a flow control unit (flit) of a first flow control protocol and where the second electronic circuit is responsive to signals corresponding to flits of a second flow control protocol. When first flits are destined for the same target buffer, they are combined to provide a second flit consistent with the second flow control protocol and transmitting the second flit to the second electronic circuit. The second flit includes data and metadata fields copied from the first flits, a common field common to each of the first flits, a merged field containing a merger of fields from the first flits and a validity field indicating which portions of the second flit contain valid data.

Abstract: A system detects a covert timing channel on a combinational structure or a memory structure. The system identifies the events behind conflicts, and constructs an event train based on those events. For combinational structures, the system detects recurrent burst patterns in the event train. The system determines that a covert timing channel exists on the combinational structure if a recurrent burst pattern is detected. For memory structures, the system detects oscillatory patterns in the event train. The system determines that a covert timing channel exists on the memory structure if an oscillatory pattern is detected.

Abstract: A bus network passes pending messages from bus interface to bus interface until they are downloaded at a target bus interface by a target device connected to the target bus interface. The messages are tagged with at least one download control bit. The download control bit has a priority state indicating that a message has already passed the target bus interface at least once without being downloaded. When controlling selection of messages for downloading by the target device, the target bus interface selects messages with the download control bit in the priority state with a greater probability than messages not having a download control bit in the priority state.

Abstract: Methods and apparatus relating to ring protocols and techniques are described. In one embodiment, a first agent generates a request to write to a cache line of a cache over a first ring of a computing platform. A second agent that receives the write request forwards it to a third agent over the first ring of the computing platform. In turn, a third agent (e.g., a home agent) receives data corresponding to the write request over a second, different ring of the computing platform and writes the data to the cache. Other embodiments are also disclosed.

Abstract: A data processing apparatus (2) comprises a first protocol domain A configured to operate under a write progress protocol and a second protocol domain B configured to operate under a snoop progress protocol. A deadlock condition is detected if a write target address for a pending write request issued from the first domain A to the second domain B is the same as a snoop target address or a pending snoop request issued from the second domain B to the first domain A. When the deadlock condition is detected, a bridge (4) between the domains may issue an early response to a selected one of the deadlocked write and snoop requests without waiting for the selected request serviced. The early response indicates to the domain that issued the selected request that the selected request has been serviced, enabling the other request to be serviced by the issuing domain.

Abstract: Methods and apparatus relating to optimized ring protocols and techniques are described. In one embodiment, a first agent generates a request to write to a cache line of a cache over a first ring of a computing platform. A second agent that receives the write request forwards it to a third agent over the first ring of the computing platform. In turn, a third agent (e.g., a home agent) receives data corresponding to the write request over a second, different ring of the computing platform and writes the data to the cache. Other embodiments are also disclosed.