Abstract: Securely redirecting a system service routine via a provider service table. A service call provider is loaded within an operating system executing in a lower trust security zone. The service call provider comprises metadata indicating a system service routine to be redirected to the service call provider. Based on the metadata, a provider service table is built within a higher trust security zone. The service table redirects the system service routine to the service call provider. Memory page(s) associated with the provider service table are hardware protected, and a read-only view is exposed to the operating system. The provider service table is associated with a user-mode process. A service call for a particular system service routine is received by the operation system from the user-mode process and, based on the provider service table being associated with the user-mode process, the service call is directed to the service call provider.

Abstract: Preventing the observation of the side effects of mispredicted speculative execution flows using speculation buffering. A microprocessor comprises one or more speculation buffers that are separated from and correspond to one or more conventional buffers. The microprocessor records first effects of one or more speculatively-executed instructions to the one or more speculation buffers, and records second effects of non-speculatively-executed instructions to the one or more conventional buffers. The microprocessor commits the first effects from the one or more speculation buffers to the one or more conventional buffers when the one or more speculatively-executed instructions that generated the first effects are committed, and discards the first effects from the one or more speculation buffers when the one or more speculatively-executed instructions are cancelled.

Abstract: Preventing the observation of the side effects of mispredicted speculative execution flows using restricted speculation. In an embodiment a microprocessor comprises a register file including a plurality of entries, each entry comprising a value and a flag. The microprocessor (i) sets the flag corresponding to any entry whose value results from a memory load operation that has not yet been retired or cancelled, or results from a calculation that was derived from a register file entry whose corresponding flag was set, and (ii) clears the flag corresponding to any entry when the operation that generated the entry's value is retired. The microprocessor also comprises a memory unit that is configured to hold any memory load operation that uses an address whose value is calculated based on a register file entry whose flag is set, unless all previous instructions have been retired or cancelled.

Abstract: A virtual machine manager facilitates selective code integrity enforcement. A virtual machine manager (or other higher privileged entity) can verify the integrity of code in memory pages, and a virtual processor running in kernel mode executes the code on a memory page only if the virtual machine manager (or other higher privileged entity) has verified the code integrity of that code. However, the virtual machine manager need not verify the integrity of code in memory pages when the virtual processor is running in user mode. Rather, an operating system running on the virtual processor can apply any of a variety of policies (e.g., optionally perform any of a variety of different checks or verifications of the code) to determine whether the code can be executed in user mode.

Abstract: A system for exception handling is configured to, in response to detection of an exception during a function call, search for an exception handler to handle the detected exception by unwinding a stack across a plurality of frames. A binary includes functions associated with one of a first application binary interface (ABI) or a second ABI. The stack includes a transition frame created between frames of the first ABI and the second ABI during execution of the binaries. The system is configured to detect the transition frame in the stack when encountering a change from a frame of one ABI to a frame of another ABI, and translate an interface context therebetween to handle the exception.

Abstract: Speculative side channels exist when memory is accessed by speculatively-executed processor instructions. Embodiments use uncacheable memory mappings to close speculative side channels that could allow an unprivileged execution context to access a privileged execution context's memory. Based on allocation of memory location(s) to the unprivileged execution context, embodiments map these memory location(s) as uncacheable within first page table(s) corresponding to the privileged execution context, but map those same memory locations as cacheable within second page table(s) corresponding to the unprivileged execution context. This prevents a processor from carrying out speculative execution of instruction(s) from the privileged execution context that access any of this memory allocated to the unprivileged execution context, due to the unprivileged execution context's memory being mapped as uncacheable for the privileged execution context.

Abstract: A virtual machine manager facilitates selective code integrity enforcement. A virtual machine manager (or other higher privileged entity) can verify the integrity of code in memory pages, and a virtual processor running in kernel mode executes the code on a memory page only if the virtual machine manager (or other higher privileged entity) has verified the code integrity of that code. However, the virtual machine manager need not verify the integrity of code in memory pages when the virtual processor is running in user mode. Rather, an operating system running on the virtual processor can apply any of a variety of policies (e.g., optionally perform any of a variety of different checks or verifications of the code) to determine whether the code can be executed in user mode.

Abstract: Speculative side channels exist when memory is accessed by speculatively-executed processor instructions. Embodiments use uncacheable memory mappings to close speculative side channels that could allow an unprivileged execution context to access a privileged execution context's memory. Based on allocation of memory location(s) to the unprivileged execution context, embodiments map these memory location(s) as uncacheable within first page table(s) corresponding to the privileged execution context, but map those same memory locations as cacheable within second page table(s) corresponding to the unprivileged execution context. This prevents a processor from carrying out speculative execution of instruction(s) from the privileged execution context that access any of this memory allocated to the unprivileged execution context, due to the unprivileged execution context's memory being mapped as uncacheable for the privileged execution context.

Abstract: Preventing the observation of the side effects of mispredicted speculative execution flows using restricted speculation. In an embodiment a microprocessor comprises a register file including a plurality of entries, each entry comprising a value and a flag. The microprocessor (i) sets the flag corresponding to any entry whose value results from a memory load operation that has not yet been retired or cancelled, or results from a calculation that was derived from a register file entry whose corresponding flag was set, and (ii) clears the flag corresponding to any entry when the operation that generated the entry's value is retired. The microprocessor also comprises a memory unit that is configured to hold any memory load operation that uses an address whose value is calculated based on a register file entry whose flag is set, unless all previous instructions have been retired or cancelled.

Abstract: A system for exception handling is configured to, in response to detection of an exception during a function call, search for an exception handler to handle the detected exception by unwinding a stack across a plurality of frames. A binary includes functions associated with one of a first application binary interface (ABI) or a second ABI. The stack includes a transition frame created between frames of the first ABI and the second ABI during execution of the binaries. The system is configured to detect the transition frame in the stack when encountering a change from a frame of one ABI to a frame of another ABI, and translate an interface context therebetween to handle the exception.

Abstract: A virtual machine manager facilitates selective code integrity enforcement. A virtual machine manager (or other higher privileged entity) can verify the integrity of code in memory pages, and a virtual processor running in kernel mode executes the code on a memory page only if the virtual machine manager (or other higher privileged entity) has verified the code integrity of that code. However, the virtual machine manager need not verify the integrity of code in memory pages when the virtual processor is running in user mode. Rather, an operating system running on the virtual processor can apply any of a variety of policies (e.g., optionally perform any of a variety of different checks or verifications of the code) to determine whether the code can be executed in user mode.

Abstract: Each program thread running on a computing device has an associated data stack and control stack. A stack displacement value is generated, which is the difference between the memory address of the base of the data stack and the memory address of the base of the control stack, and is stored in a register of a processor of the computing device that is restricted to operating system kernel use. For each thread on which return flow guard is enabled, prologue and epilogue code is added to each function of the thread (e.g., by a memory manager of the computing device). The data stack and the control stack each store a return address for the function, and when the function completes the epilogue code allows the function to return only if the return addresses on the data stack and the control stack match.

Abstract: A computing device runs a hypervisor that manages a watchdog timer, referred to as a hypervisor watchdog timer, for each operating system in each partition. Each hypervisor watchdog timer is re-armed at various intervals by the operating system running in the associated partition. In response to a hypervisor watchdog timer expiring, the watchdog timer resets the operating system in the associated partition. Optionally, after a threshold amount of time elapses without being re-armed, the hypervisor watchdog timer issues a non-maskable interrupt (NMI) to the operating system in the associated partition to allow the operating system to store crash data. Operation of the hypervisor watchdog timers is paused when the computing device enters a low power mode and resumes when the computing device exits the low power mode, removing any need to re-arm the hypervisor watchdog timers while the computing device is in the low power mode.

Abstract: Each program thread running on a computing device has an associated data stack and control stack. A stack displacement value is generated, which is the difference between the memory address of the base of the data stack and the memory address of the base of the control stack, and is stored in a register of a processor of the computing device that is restricted to operating system kernel use. For each thread on which return flow guard is enabled, prologue and epilogue code is added to each function of the thread (e.g., by a memory manager of the computing device). The data stack and the control stack each store a return address for the function, and when the function completes the epilogue code allows the function to return only if the return addresses on the data stack and the control stack match.

Abstract: In one example, a method includes allocating separate portions of memory for a control stack and a data stack. The method also includes, upon detecting a call instruction, storing a first return address in the control stack and a second return address in the data stack; and upon detecting a return instruction, popping the first return address from the control stack and the second return address from the data stack and raising an exception if the two return addresses do not match. Otherwise, the return instruction returns the first return address. Additionally, the method includes executing an exception handler in response to the return instruction detecting an exception, wherein the exception handler is to pop one or more return addresses from the control stack until the return address on a top of the control stack matches the return address on a top of the data stack.

Abstract: An on-screen menu method and system for controlling the functions of integrated electronic devices and a television schedule system and method for displaying television schedule information on a television screen includes a program guide having a schedule information area that depicts the programs that are being presented on each channel at each time during the day and an interconnected series of menus to control the features of the integrated electronic devices. An input device allows the viewer to move a pointer over different interactive areas of the guide and the function performed when the area is activated is displayed in a contextual help window. Various control glyphs provide for recursive interaction with the guide.

Abstract: An on-screen menu method and system for controlling the functions of integrated electronic devices and a television schedule system and method for displaying television schedule information on a television screen includes a program guide having a schedule information area that depicts the programs that are being presented on each channel, at each time during the day and an interconnected series of menus to control the features of the integrated electronic devices. An input device allows the viewer to move a pointer over different interactive areas of the guide and the function performed when the area is activated is displayed in a contextual help window. Various control glyphs provide for recursive interaction with the guide.

Abstract: An on-screen menu method and system for controlling the functions of integrated electronic devices and a television schedule system and method for displaying television schedule information on a television screen includes a program guide having a schedule information area that depicts the programs that are being presented on each channel at each time during the day and an interconnected series of menus to control the features of the integrated electronic devices. An input device allows the viewer to move a pointer over different interactive areas of the guide and the function performed when the area is activated is displayed in a contextual help window. Various control glyphs provide for recursive interaction with the guide.

Abstract: Techniques for memory image capture via memory write from a running system are described. In at least some embodiments, a request is received for an image of a portion of memory. Images of memory can be used for a variety of purposes, such as diagnosing and repairing error conditions for hardware and/or software, detecting unwanted and/or malicious processes (e.g., malware), general systems maintenance, and so forth. According to one or more embodiments, various techniques can be implemented to capture an image of a portion of memory. For example, an intermediate write to memory can be employed to write the image of the portion of memory to a memory buffer. Alternatively or additionally, an image of a portion of memory can be captured directly to storage.

Abstract: An on-screen menu method and system for controlling the functions of integrated electronic devices and a television schedule system and method for displaying television schedule information on a television screen includes a program guide having a schedule information area that depicts the programs that are being presented on each channel at each time during the day and an interconnected series of menus to control the features of the integrated electronic devices. An input device allows the viewer to move a pointer over different interactive areas of the guide and the function performed when the area is activated is displayed in a contextual help window. Various control glyphs provide for recursive interaction with the guide.