Abstract: Computing systems, devices, and methods of dynamic image composition for container deployment are disclosed herein. One example technique includes receiving a request for accessing a file from a container process. In response to receiving the request, the technique includes querying a mapping table corresponding to the container process to locate an entry corresponding to a file identifier of the requested file. The entry also includes data identifying a file location on the storage device from which the requested file is accessible. The technique further includes retrieving a copy of the requested file according to the file location identified by the data in the located entry in the mapping table and providing the retrieved copy of the requested file to the container process, thereby allowing the container process to access the requested file.

Abstract: To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table's entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.

Abstract: Performing shadow stack functionality for a thread in an audit mode includes initiating execution of a thread at the processor. Execution of the thread includes initiating execution of executable code of an application binary as part of the thread and enabling shadow stack functionality for the thread in an audit mode. Based at least on the execution of the thread in the audit mode, at least a portion of the shadow stack is enabled to be a circular stack. In response to determining that usage of the shadow stack has reached the defined threshold, one or more currently used entries of the shadow stack are overwritten, preventing the shadow stack from overflowing.

Abstract: Ensuring data security when tiering volatile and non-volatile byte-addressable memory. A portion of cache data stored in a first memory that is byte-addressable and volatile is identified for copying to a second memory that is byte-addressable and non-volatile. The portion of cache data is associated with cryptographic requirements for storing the portion of cache data on non-volatile storage. Cryptographic capabilities of the second memory are identified. When each of the cryptographic requirements is met by the cryptographic capabilities, the portion of cache data is copied to the second memory while relying on the second memory to encrypt the portion of cache data. When at least one cryptographic requirement is not met by the cryptographic capabilities, the portion of cache data is encrypted to generate an encrypted portion of cache data, and the encrypted portion of cache data is copied to the second memory.

Abstract: Embodiments relate to improving user experiences when executing binary code that has been translated from other binary code. Binary code (instructions) for a source instruction set architecture (ISA) cannot natively execute on a processor that implements a target ISA. The instructions in the source ISA are binary-translated to instructions in the target ISA and are executed on the processor. The overhead of performing binary translation and/or the overhead of executing binary-translated code are compensated for by increasing the speed at which the translated code is executed, relative to non-translated code. Translated code may be executed on hardware that has one or more power-performance parameters of the processor set to increase the performance of the processor with respect to the translated code. The increase in power-performance for translated code may be proportional to the degree of translation overhead.

Abstract: Techniques of deferred container deployment are disclosed herein. In one embodiment, a method includes receiving, at a computing device, a container image corresponding to the container. The container image includes a first set of files identified by symbolic links individually directed to a file in the host filesystem on the computing device and a second set of files identified by hard links. The method also includes in response to receiving the container image, at the computing device, storing the received container image in a folder of the host filesystem on the computing device without resolving the symbolic links of the first set of the files until runtime of the requested container.

Abstract: Dynamically overriding a function based on a capability set. A computer system reads a portion of an executable image file. The portion includes a first memory address corresponding to a first callee function implementation. The first memory address was inserted into the portion by a compiler toolchain. Based on extensible metadata included in the executable image file, and based on a capability set that is specific to the computer system, the computer system determines a second memory address corresponding to a second callee function implementation. Before execution of the portion, the computer system modifies the portion to replace the first memory address with the second memory address.

Abstract: Dynamically overriding a function based on a capability set. A computer system reads a portion of an executable image file. The portion includes a first memory address corresponding to a first callee function implementation. The first memory address was inserted into the portion by a compiler toolchain. Based on extensible metadata included in the executable image file, and based on a capability set that is specific to the computer system, the computer system determines a second memory address corresponding to a second callee function implementation. Before execution of the portion, the computer system modifies the portion to replace the first memory address with the second memory address.

Abstract: Techniques for computer memory management are disclosed herein. In one embodiment, a method includes in response to receiving a request for allocation of memory, determining whether the request is for allocation from a first memory region or a second memory region of the physical memory. The first memory region has first memory subregions of a first size and the second memory region having second memory subregions of a second size larger than the first size of the first memory region. The method further includes in response to determining that the request for allocation of memory is for allocation from the first or second memory region, allocating a portion of the first or second multiple memory subregions of the first or second memory region, respectively, in response to the request.

Abstract: Computing systems, devices, and methods of dynamic image composition for container deployment are disclosed herein. One example technique includes receiving a request for accessing a file from a container process. In response to receiving the request, the technique includes querying a mapping table corresponding to the container process to locate an entry corresponding to a file identifier of the requested file. The entry also includes data identifying a file location on the storage device from which the requested file is accessible. The technique further includes retrieving a copy of the requested file according to the file location identified by the data in the located entry in the mapping table and providing the retrieved copy of the requested file to the container process, thereby allowing the container process to access the requested file.

Abstract: Enforcing shadow stack violations at module granularity, rather than at thread or process granularity. An exception is processed during execution of a thread based on code of an application binary, which is enabled for shadow stack enforcement, that calls an external module. The exception results from a mismatch between a return address popped from the thread's call stack and a return address popped from the thread's shadow stack. Processing the exception includes determining that the exception resulted from execution of an instruction in the external module, and determining whether or not the external module is enabled for shadow stack enforcement. Based at least on these determinations, execution of the thread is terminated when the external module is enabled for shadow stack enforcement, or the thread is permitted to continue executing when the external module is not enabled for shadow stack enforcement.

Abstract: To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table’s entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.

Abstract: Securely redirecting a system service routine via a provider service table. A service call provider is loaded within an operating system executing in a lower trust security zone. The service call provider comprises metadata indicating a system service routine to be redirected to the service call provider. Based on the metadata, a provider service table is built within a higher trust security zone. The service table redirects the system service routine to the service call provider. Memory page(s) associated with the provider service table are hardware protected, and a read-only view is exposed to the operating system. The provider service table is associated with a user-mode process. A service call for a particular system service routine is received by the operation system from the user-mode process and, based on the provider service table being associated with the user-mode process, the service call is directed to the service call provider.

Abstract: Handling a memory fault based on detecting whether a memory pointer was invalidated by a pointer authentication (PA) failure. After an access to a memory pointer causes a memory fault, detecting that the memory pointer was invalidated by a PA failure includes creating a new memory pointer by replacing reserved bits of the memory pointer with a default value, and determining that the new memory pointer corresponds to a memory address that falls within executable memory. This determination includes determining that the memory address is within an executable memory page, determining that a call instruction is stored at a prior memory address that immediately precedes the memory address, and/or determining that the memory address corresponds to a code section of an executable file. The PA failure is handled based on logging the PA failure, terminating the application program, and/or resuming execution at an instruction stored at the memory address.

Abstract: Embodiments relate to improving user experiences when executing binary code that has been translated from other binary code. Binary code (instructions) for a source instruction set architecture (ISA) cannot natively execute on a processor that implements a target ISA. The instructions in the source ISA are binary-translated to instructions in the target ISA and are executed on the processor. The overhead of performing binary translation and/or the overhead of executing binary-translated code are compensated for by increasing the speed at which the translated code is executed, relative to non-translated code. Translated code may be executed on hardware that has one or more power-performance parameters of the processor set to increase the performance of the processor with respect to the translated code. The increase in power-performance for translated code may be proportional to the degree of translation overhead.

Abstract: Techniques for computer memory management are disclosed herein. In one embodiment, a method includes in response to receiving a request for allocation of memory, determining whether the request is for allocation from a first memory region or a second memory region of the physical memory. The first memory region has first memory subregions of a first size and the second memory region having second memory subregions of a second size larger than the first size of the first memory region. The method further includes in response to determining that the request for allocation of memory is for allocation from the first or second memory region, allocating a portion of the first or second multiple memory subregions of the first or second memory region, respectively, in response to the request.

Abstract: To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table's entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.

Abstract: One example technique includes receiving a request for accessing a file from a container process. In response to receiving the request, the technique includes querying a mapping table corresponding to the container process to locate an entry corresponding to a file identifier of the requested file. The entry also includes data identifying a file location on the storage device from which the requested file is accessible. The technique further includes retrieving a copy of the requested file according to the file location identified by the data in the located entry in the mapping table and providing the retrieved copy of the requested file to the container process, thereby allowing the container process to access the requested file.

Abstract: Enforcing shadow stack violations for dynamic code. A thread is executed at a processor, which includes generating a portion of dynamic code for execution by the thread, identifying a range of memory addresses where the portion of dynamic code is loaded in memory, and initiating execution of the portion of dynamic code. Based at least on execution of the thread, an exception triggered by a mismatch between a first return address popped from a call stack corresponding to the thread and a second return address popped from a shadow stack corresponding to the thread is processed. Processing the exception includes (i) determining whether the second return address popped from the shadow stack is within the identified range of addresses, and (ii) based on having determined that the second return address is within the range of addresses, initiating a shadow stack enforcement action.

Abstract: Enforcing shadow stack violations at module granularity, rather than at thread or process granularity. An exception is processed during execution of a thread based on code of an application binary, which is enabled for shadow stack enforcement, that calls an external module. The exception results from a mismatch between a return address popped from the thread's call stack and a return address popped from the thread's shadow stack. Processing the exception includes determining that the exception resulted from execution of an instruction in the external module, and determining whether or not the external module is enabled for shadow stack enforcement. Based at least on these determinations, execution of the thread is terminated when the external module is enabled for shadow stack enforcement, or the thread is permitted to continue executing when the external module is not enabled for shadow stack enforcement.