Patents by Inventor Mona Vij
Mona Vij has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 12113902Abstract: In function-as-a-service (FaaS) environments, a client makes use of a function executing within a trusted execution environment (TEE) on a FaaS server. Multiple tenants of the FaaS platform may provide functions to be executed by the FaaS platform via a gateway. Each tenant may provide code and data for any number of functions to be executed within any number of TEEs on the FaaS platform and accessed via the gateway. Additionally, each tenant may provide code and data for a single surrogate attester TEE. The client devices of the tenant use the surrogate attester TEE to attest each of the other TEEs of the tenant and establish trust with the functions in those TEEs. Once the functions have been attested, the client devices have confidence that the other TEEs of the tenant are running on the same platform as the gateway.Type: GrantFiled: December 22, 2020Date of Patent: October 8, 2024Assignee: Intel CorporationInventors: Anjo Lucas Vahldiek-Oberwagner, Ravi L. Sahita, Mona Vij, Dayeol Lee, Haidong Xia, Rameshkumar Illikkal, Samuel Ortiz, Kshitij Arun Doshi, Mourad Cherfaoui, Andrzej Kuriata, Teck Joo Goh
-
Publication number: 20240330466Abstract: Methods, apparatus, systems, and articles of manufacture to verify integrity of a model are disclosed. An example apparatus includes programmable circuitry to initialize an instance of a trusted execution environment; upload a security manifest of the trusted execution environment and a machine learning model; determine whether to store the machine learning model into a memory based on checking of the security manifest; determine whether the machine learning model is valid; and output a validation result.Type: ApplicationFiled: May 28, 2024Publication date: October 3, 2024Inventors: Scott Douglas Constable, Marcin Andrzej Chrapek, Marcin Spoczynski, Cory Cornelius, Mona Vij, Anjo Lucas Vahldiek-Oberwagner
-
Patent number: 12093432Abstract: In one embodiment, an apparatus comprises a processing circuitry to detect an occurrence of at least one of a single-stepping event or a zero-stepping event in an execution thread on an architecturally protected enclave and in response to the occurrence, implement at least one mitigation process to inhibit further occurrences of the at least one of a single-stepping event or a zero-stepping event in the architecturally protected enclave.Type: GrantFiled: September 24, 2021Date of Patent: September 17, 2024Assignee: INTEL CORPORATIONInventors: Scott Constable, Yuan Xiao, Bin Xing, Mona Vij, Mark Shanahan
-
Publication number: 20240202314Abstract: Techniques and mechanisms for a processor core to execute an instruction for a hardware (HW) thread to have access to a trusted execution environment (TEE). In an embodiment, execution of the instruction includes determining whether any sibling HW thread, which is currently active, is also currently approved to access the TEE. TEE access by the HW thread is conditioned upon a requirement that any sibling HW thread is either currently inactive, is currently in the same TEE, or is currently approved to enter the TEE. In another embodiment, execution of another instruction, for the HW thread to exit the TEE, includes or otherwise results in system software being conditionally notified of an opportunity to wake up one or more sibling HW threads.Type: ApplicationFiled: December 19, 2022Publication date: June 20, 2024Applicant: Intel CorporationInventors: Mona Vij, Dmitrii Kuvaiskii, Bin Xing, Krystof Zmudzinski, Scott Constable
-
Patent number: 12013954Abstract: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.Type: GrantFiled: March 31, 2022Date of Patent: June 18, 2024Assignee: Intel CorporationInventors: Ravi Sahita, Dror Caspi, Vedvyas Shanbhogue, Vincent Scarlata, Anjo Lucas Vahldiek-Oberwagner, Haidong Xia, Mona Vij
-
Publication number: 20240184717Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.Type: ApplicationFiled: October 9, 2023Publication date: June 6, 2024Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
-
Publication number: 20230409699Abstract: Detailed herein are examples of determining when to allow access to a trusted execution environment (TEE). For example, using TEE logic associated with software to at least in part: determine that a TEE feature is supported based at least on a value of a bit position in a data structure; and not allow a TEE entry instruction to access to a TEE when the bit position of the data structure is reserved.Type: ApplicationFiled: September 20, 2022Publication date: December 21, 2023Inventors: Scott CONSTABLE, Ilya ALEXANDROVICH, Ittai ANATI, Simon JOHNSON, Vincent SCARLATA, Mona VIJ, Yuan XIAO, Bin XING, Krystof SMUDZINSKI
-
Patent number: 11782849Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.Type: GrantFiled: July 3, 2021Date of Patent: October 10, 2023Assignee: Intel CorporationInventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
-
Publication number: 20230205869Abstract: Systems, methods, and apparatuses relating efficient exception handling in trusted execution environments are described. In an embodiment, a hardware processor includes a register, a decoder, and execution circuitry. The register has a field to be set to enable an architecturally protected execution environment at one of a plurality of contexts for code in an architecturally protected enclave in memory. The decoder is to decode an instruction having a format including a field for an opcode, the opcode to indicate that the execution circuitry is to perform a context change. The execution circuitry is to perform one or more operations corresponding to the instruction, the one or more operations including changing, within the architecturally protected enclave, from a first context to a second context.Type: ApplicationFiled: December 23, 2021Publication date: June 29, 2023Applicant: Intel CorporationInventors: Scott Constable, Bin Xing, Yuan Xiao, Krystof Zmudzinski, Mona Vij, Mark Shanahan, Francis McKeen, Ittai Anati
-
Patent number: 11637687Abstract: Methods, apparatus, systems and articles of manufacture to determine provenance for data supply chains are disclosed. Example instructions cause a machine to at least, in response to data being generated, generate a local data object and object metadata corresponding to the data; hash the local data object; generate a hash of a label of the local data object; generate a hierarchical data structure for the data including the hash of the local data object and the hash of the label of the local data object; generate a data supply chain object including the hierarchical data structure; and transmit the data and the data supply chain object to a device that requested access to the data.Type: GrantFiled: December 20, 2019Date of Patent: April 25, 2023Assignee: Intel CorporationInventors: Ned Smith, Francesc Guim Bernat, Sanjay Bakshi, Paul O'Neill, Ben McCahill, Brian A. Keating, Adrian Hoban, Kapil Sood, Mona Vij, Nilesh Jain, Rajesh Poornachandran, Trevor Cooper, Kshitij A. Doshi, Marcin Spoczynski
-
Publication number: 20230015537Abstract: Example methods and systems are directed to reducing latency in providing trusted execution environments (TEEs). Initializing a TEE includes multiple steps before the TEE starts executing. Besides workload-specific initialization, workload-independent initialization is performed, such as adding memory to the TEE. In function-as-a-service (FaaS) environments, a large portion of the TEE is workload-independent, and thus can be performed prior to receiving the workload. Certain steps performed during TEE initialization are identical for certain classes of workloads. Thus, the common parts of the TEE initialization sequence may be performed before the TEE is requested. When a TEE is requested for a workload in the class and the parts to specialize the TEE for its particular purpose are known, the final steps to initialize the TEE are performed.Type: ApplicationFiled: September 22, 2022Publication date: January 19, 2023Inventors: Anjo Lucas Vahldiek-Oberwagner, Ravi L. Sahita, Mona Vij, Rameshkumar Illikkal, Michael Steiner, Thomas Knauth, Dmitrii Kuvaiskii, Sudha Krishnakumar, Krystof C. Zmudzinski, Vincent Scarlata, Francis McKeen
-
Publication number: 20220272012Abstract: Examples described herein relate to dynamically composing an application as a monolithic implementation or two or more microservices based on telemetry data. In some examples, based on composition of an application as two or more microservices, at least one connection between microservices based on telemetry data is adjusted. In some examples, a switch can be configured to perform forwarding of communications between microservices based on the adjusted at least one connection between microservices.Type: ApplicationFiled: May 13, 2022Publication date: August 25, 2022Inventors: S M Iftekharul ALAM, Ned SMITH, Vesh Raj SHARMA BANJADE, Satish C. JHA, Christian MACIOCCO, Mona VIJ, Kshitij A. DOSHI, Srikathyayani SRIKANTESWARA, Francesc GUIM BERNAT, Maruti GUPTA HYDE, Alexander BACHMUTSKY
-
Publication number: 20220239507Abstract: Various approaches for memory encryption management within an edge computing system are described. In an edge computing system deployment, a computing device includes capabilities to store and manage encrypted data in memory, through processing circuitry configured to: allocate memory encryption keys according to a data isolation policy for a microservice domain, with respective keys used for encryption of respective sets of data within the memory (e.g., among different tenants or tenant groups); and, share data associated with a first microservice to a second microservice of the domain. Such sharing may be based on the communication of an encryption key, used to encrypt the data in memory, from a proxy (such as a sidecar) associated with the first microservice to a proxy associated with the second microservice; and maintaining the encrypted data within the memory, for use with the second microservice, as accessible with the communicated encryption key.Type: ApplicationFiled: February 10, 2022Publication date: July 28, 2022Inventors: Ned M. Smith, Kshitij Arun Doshi, Francesc Guim Bernat, Mona Vij
-
Publication number: 20220222358Abstract: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.Type: ApplicationFiled: March 31, 2022Publication date: July 14, 2022Applicant: Intel CorporationInventors: Ravi Sahita, Dror Caspi, Vedvyas Shanbhogue, Vincent Scarlata, Anjo Lucas Vahldiek-Oberwagner, Haidong Xia, Mona Vij
-
Publication number: 20220207187Abstract: Systems, methods, and apparatuses relating to an instruction that allows a trusted execution environment to react to an asynchronous exit are described. In one embodiment, a hardware processor includes a register comprising a field, that when set, is to enable an architecturally protected execution environment for code in an architecturally protected enclave in memory, a decoder circuit to decode a single instruction comprising an opcode into a decoded instruction, the opcode to indicate an execution circuit is to invoke a handler to handle an asynchronous exit from execution of the code in the architecturally protected enclave and then resume execution of the code in the architecturally protected enclave from where the asynchronous exit occurred, and the execution circuit to respond to the decoded instruction as specified by the opcode.Type: ApplicationFiled: December 26, 2020Publication date: June 30, 2022Inventors: SCOTT CONSTABLE, MARK SHANAHAN, MONA VIJ, BIN XING, KRYSTOF ZMUDZINSKI
-
Publication number: 20220121470Abstract: In one embodiment, metadata associated with deployment of a container within an orchestration environment includes information indicating security preferences for deployment of the container within the orchestration environment, information indicating a level of communications between the container and other containers, and/or information indicating effects of execution of the container with respect to other containers. The metadata is used to select a particular node of a plurality of nodes within the orchestration environment on which to deploy the container based on the metadata.Type: ApplicationFiled: December 23, 2021Publication date: April 21, 2022Applicant: Intel CorporationInventors: Paritosh Saxena, Anjo Lucas Vahldiek-Oberwagner, Mona Vij, Kshitij A. Doshi, Carlos H. Morales, Clair Bowman, Marcela S. Melara, Michael Steiner
-
Publication number: 20220116335Abstract: A computing node includes network interface circuitry and processing circuitry. The processing circuitry assigns available computing resources to a plurality of slice contexts. Each slice context of the plurality includes resource allocations of the available computing resources associated with multiple communication networks. A first portion of the resource allocations is designated as dedicated resources and a second, remaining portion is designated as shared resources. A FAFO event associated with a workload is detected. The workload executes on a network slice instance (NSI) associated with a slice context of a subset of slice contexts. The configuration of the NSI is restored to a pre-FAFO event state based on reconfiguring one or both of the dedicated resources or the shared resources of the slice context based on the resource allocations of at least a second slice context in the subset of slice contexts.Type: ApplicationFiled: December 21, 2021Publication date: April 14, 2022Inventors: Vesh Raj Sharma Banjade, Satish Chandra Jha, Ned M. Smith, S M Iftekharul Alam, Christian Maciocco, Liuyang Lily Yang, Mona Vij, Kshitij Arun Doshi, Francesc Guim Bernat, Clark Chen
-
Patent number: 11283635Abstract: Various approaches for memory encryption management within an edge computing system are described. In an edge computing system deployment, a computing device includes capabilities to store and manage encrypted data in memory, through processing circuitry configured to: allocate memory encryption keys according to a data isolation policy for a microservice domain, with respective keys used for encryption of respective sets of data within the memory (e.g., among different tenants or tenant groups); and, share data associated with a first microservice to a second microservice of the domain. Such sharing may be based on the communication of an encryption key, used to encrypt the data in memory, from a proxy (such as a sidecar) associated with the first microservice to a proxy associated with the second microservice; and maintaining the encrypted data within the memory, for use with the second microservice, as accessible with the communicated encryption key.Type: GrantFiled: December 20, 2019Date of Patent: March 22, 2022Assignee: Intel CorporationInventors: Ned M. Smith, Kshitij Arun Doshi, Francesc Guim Bernat, Mona Vij
-
Publication number: 20220012369Abstract: In one embodiment, an apparatus comprises a processing circuitry to detect an occurrence of at least one of a single-stepping event or a zero-stepping event in an execution thread on an architecturally protected enclave and in response to the occurrence, implement at least one mitigation process to inhibit further occurrences of the at least one of a single-stepping event or a zero-stepping event in the architecturally protected enclave.Type: ApplicationFiled: September 24, 2021Publication date: January 13, 2022Applicant: Intel CorporationInventors: Scott Constable, Yuan Xiao, Bin Xing, Mona Vij, Mark Shanahan
-
Publication number: 20210406201Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.Type: ApplicationFiled: July 3, 2021Publication date: December 30, 2021Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati