Patents by Inventor Jonathan E. Lange
Jonathan E. Lange has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11907135Abstract: To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table's entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.Type: GrantFiled: February 6, 2023Date of Patent: February 20, 2024Assignee: Microsoft Technology Licensing, LLCInventors: Yevgeniy Bak, Mehmet Iyigun, Jonathan E. Lange
-
Publication number: 20230185729Abstract: To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table’s entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.Type: ApplicationFiled: February 6, 2023Publication date: June 15, 2023Applicant: Microsoft Technology Licensing, LLCInventors: Yevgeniy BAK, Mehmet IYIGUN, Jonathan E. LANGE
-
Patent number: 11573906Abstract: To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table's entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.Type: GrantFiled: January 25, 2021Date of Patent: February 7, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Yevgeniy Bak, Mehmet Iyigun, Jonathan E. Lange
-
Publication number: 20210173931Abstract: Preventing the observation of the side effects of mispredicted speculative execution flows using speculation buffering. A microprocessor comprises one or more speculation buffers that are separated from and correspond to one or more conventional buffers. The microprocessor records first effects of one or more speculatively-executed instructions to the one or more speculation buffers, and records second effects of non-speculatively-executed instructions to the one or more conventional buffers. The microprocessor commits the first effects from the one or more speculation buffers to the one or more conventional buffers when the one or more speculatively-executed instructions that generated the first effects are committed, and discards the first effects from the one or more speculation buffers when the one or more speculatively-executed instructions are cancelled.Type: ApplicationFiled: February 22, 2021Publication date: June 10, 2021Inventors: Kenneth D. JOHNSON, Jonathan E. LANGE
-
Publication number: 20210149816Abstract: To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table's entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.Type: ApplicationFiled: January 25, 2021Publication date: May 20, 2021Inventors: Yevgeniy BAK, Mehmet IYIGUN, Jonathan E. LANGE
-
Patent number: 10963567Abstract: Preventing the observation of the side effects of mispredicted speculative execution flows using restricted speculation. In an embodiment a microprocessor comprises a register file including a plurality of entries, each entry comprising a value and a flag. The microprocessor (i) sets the flag corresponding to any entry whose value results from a memory load operation that has not yet been retired or cancelled, or results from a calculation that was derived from a register file entry whose corresponding flag was set, and (ii) clears the flag corresponding to any entry when the operation that generated the entry's value is retired. The microprocessor also comprises a memory unit that is configured to hold any memory load operation that uses an address whose value is calculated based on a register file entry whose flag is set, unless all previous instructions have been retired or cancelled.Type: GrantFiled: May 25, 2018Date of Patent: March 30, 2021Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Kenneth D. Johnson, Jonathan E. Lange
-
Patent number: 10901911Abstract: To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table's entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.Type: GrantFiled: November 21, 2018Date of Patent: January 26, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Yevgeniy Bak, Mehmet Iyigun, Jonathan E. Lange
-
Publication number: 20200159667Abstract: To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table's entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.Type: ApplicationFiled: November 21, 2018Publication date: May 21, 2020Inventors: Yevgeniy BAK, Mehmet IYIGUN, Jonathan E. LANGE
-
Patent number: 10439803Abstract: A protected machine. The machine includes an enclave. An enclave includes a protected area of an application address space for which access is prevented for any application code not resident in the enclave itself, except that keys can be provided by one or more management enclaves into the enclave. The machine further includes a management enclave coupled to the enclave. The management enclave is configured to provide a key to the enclave. The management enclave is a protected area of an application address space for which access is prevented for any application code not resident in the management enclave itself.Type: GrantFiled: March 14, 2017Date of Patent: October 8, 2019Assignee: Microsoft Technology Licensing, LLCInventor: Jonathan E. Lange
-
Publication number: 20190251256Abstract: The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.Type: ApplicationFiled: December 20, 2018Publication date: August 15, 2019Inventors: Jonathan E. Lange, John V. Sell, Ling Tony Chen, Eric O. Mejdrich
-
Publication number: 20190114422Abstract: Preventing the observation of the side effects of mispredicted speculative execution flows using restricted speculation. In an embodiment a microprocessor comprises a register file including a plurality of entries, each entry comprising a value and a flag. The microprocessor (i) sets the flag corresponding to any entry whose value results from a memory load operation that has not yet been retired or cancelled, or results from a calculation that was derived from a register file entry whose corresponding flag was set, and (ii) clears the flag corresponding to any entry when the operation that generated the entry's value is retired. The microprocessor also comprises a memory unit that is configured to hold any memory load operation that uses an address whose value is calculated based on a register file entry whose flag is set, unless all previous instructions have been retired or cancelled.Type: ApplicationFiled: May 25, 2018Publication date: April 18, 2019Inventors: Kenneth D. JOHNSON, Jonathan E. LANGE
-
Patent number: 10198578Abstract: The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.Type: GrantFiled: December 5, 2016Date of Patent: February 5, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Jonathan E. Lange, John V. Sell, Ling Tony Chen, Eric O. Mejdrich
-
Publication number: 20180139044Abstract: A protected machine. The machine includes an enclave. An enclave includes a protected area of an application address space for which access is prevented for any application code not resident in the enclave itself, except that keys can be provided by one or more management enclaves into the enclave. The machine further includes a management enclave coupled to the enclave. The management enclave is configured to provide a key to the enclave. The management enclave is a protected area of an application address space for which access is prevented for any application code not resident in the management enclave itself.Type: ApplicationFiled: March 14, 2017Publication date: May 17, 2018Inventor: Jonathan E. Lange
-
Publication number: 20180004531Abstract: In one example, a method includes allocating separate portions of memory for a control stack and a data stack. The method also includes, upon detecting a call instruction, storing a first return address in the control stack and a second return address in the data stack; and upon detecting a return instruction, popping the first return address from the control stack and the second return address from the data stack and raising an exception if the two return addresses do not match. Otherwise, the return instruction returns the first return address. Additionally, the method includes executing an exception handler in response to the return instruction detecting an exception, wherein the exception handler is to pop one or more return addresses from the control stack until the return address on a top of the control stack matches the return address on a top of the data stack.Type: ApplicationFiled: June 30, 2016Publication date: January 4, 2018Applicant: Microsoft Technology Licensing, LLCInventors: Ling Tony Chen, Kenneth D. Johnson, Jonathan E. Lange, Kinshumann, Matthew Miller, Neeraj Singh
-
Publication number: 20170193226Abstract: The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.Type: ApplicationFiled: December 5, 2016Publication date: July 6, 2017Inventors: Jonathan E. Lange, John V. Sell, Ling Tony Chen, Eric O. Mejdrich
-
Patent number: 9646154Abstract: Return oriented programming (ROP) attack prevention techniques are described. In one or more examples, a method is described of protecting against return oriented programming attacks. The method includes initiating a compute signature hardware instruction of a computing device to compute a signature for a return address and the associated location on the stack the return address is stored and causing storage of the computed signature along with the return address in the stack. The method also includes enforcing that before executing the return instruction using the return address on the stack, initiating a verify signature hardware instruction of the computing device to verify the signature matches the target return address on the stack and responding to successful verification of the signature through execution of the verify signature hardware instruction by the computing device, executing the return instruction to the return address.Type: GrantFiled: January 20, 2015Date of Patent: May 9, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Ling Tony Chen, Jonathan E. Lange, Greg M. Zaverucha
-
Patent number: 9628279Abstract: Various embodiments provide techniques and devices for protecting application secrets from operating system attacks. In some examples, applications execute with an isolated user mode of a secure execution environment, while relying on an operating system executing within a separate execution environment for resource management and system services. A proxy kernel can control access by the operating system to data associated with the secure execution environment. Further, the proxy kernel can act as a transparent interface between isolated user mode applications and the operating system during the provision of resource management and system services.Type: GrantFiled: September 30, 2014Date of Patent: April 18, 2017Assignee: Microsoft Technology Licensing, LLCInventors: David B. Probert, Jeff Engel, Arsalan Ahmad, Arun U. Kishan, Jonathan E. Lange
-
Patent number: 9530000Abstract: The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.Type: GrantFiled: June 14, 2013Date of Patent: December 27, 2016Assignee: Microsoft Technology Licensing, LLCInventors: Jonathan E. Lange, John V. Sell, Ling Tony Chen, Eric O. Mejdrich
-
Publication number: 20160171211Abstract: Return oriented programming (ROP) attack prevention techniques are described. In one or more examples, a method is described of protecting against return oriented programming attacks. The method includes initiating a compute signature hardware instruction of a computing device to compute a signature for a return address and the associated location on the stack the return address is stored and causing storage of the computed signature along with the return address in the stack. The method also includes enforcing that before executing the return instruction using the return address on the stack, initiating a verify signature hardware instruction of the computing device to verify the signature matches the target return address on the stack and responding to successful verification of the signature through execution of the verify signature hardware instruction by the computing device, executing the return instruction to the return address.Type: ApplicationFiled: January 20, 2015Publication date: June 16, 2016Inventors: Ling Tony Chen, Jonathan E. Lange, Greg M. Zaverucha
-
Publication number: 20160092678Abstract: Various embodiments provide techniques and devices for protecting application secrets from operating system attacks. In some examples, applications execute with an isolated user mode of a secure execution environment, while relying on an operating system executing within a separate execution environment for resource management and system services. A proxy kernel can control access by the operating system to data associated with the secure execution environment. Further, the proxy kernel can act as a transparent interface between isolated user mode applications and the operating system during the provision of resource management and system services.Type: ApplicationFiled: September 30, 2014Publication date: March 31, 2016Inventors: David B. Probert, Jeff Engel, Arsalan Ahmad, Arun U. Kishan, Jonathan E. Lange