Patents by Inventor Mona Vij

Mona Vij has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20220239507
    Abstract: Various approaches for memory encryption management within an edge computing system are described. In an edge computing system deployment, a computing device includes capabilities to store and manage encrypted data in memory, through processing circuitry configured to: allocate memory encryption keys according to a data isolation policy for a microservice domain, with respective keys used for encryption of respective sets of data within the memory (e.g., among different tenants or tenant groups); and, share data associated with a first microservice to a second microservice of the domain. Such sharing may be based on the communication of an encryption key, used to encrypt the data in memory, from a proxy (such as a sidecar) associated with the first microservice to a proxy associated with the second microservice; and maintaining the encrypted data within the memory, for use with the second microservice, as accessible with the communicated encryption key.
    Type: Application
    Filed: February 10, 2022
    Publication date: July 28, 2022
    Inventors: Ned M. Smith, Kshitij Arun Doshi, Francesc Guim Bernat, Mona Vij
  • Publication number: 20220222358
    Abstract: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.
    Type: Application
    Filed: March 31, 2022
    Publication date: July 14, 2022
    Applicant: Intel Corporation
    Inventors: Ravi Sahita, Dror Caspi, Vedvyas Shanbhogue, Vincent Scarlata, Anjo Lucas Vahldiek-Oberwagner, Haidong Xia, Mona Vij
  • Publication number: 20220207187
    Abstract: Systems, methods, and apparatuses relating to an instruction that allows a trusted execution environment to react to an asynchronous exit are described. In one embodiment, a hardware processor includes a register comprising a field, that when set, is to enable an architecturally protected execution environment for code in an architecturally protected enclave in memory, a decoder circuit to decode a single instruction comprising an opcode into a decoded instruction, the opcode to indicate an execution circuit is to invoke a handler to handle an asynchronous exit from execution of the code in the architecturally protected enclave and then resume execution of the code in the architecturally protected enclave from where the asynchronous exit occurred, and the execution circuit to respond to the decoded instruction as specified by the opcode.
    Type: Application
    Filed: December 26, 2020
    Publication date: June 30, 2022
    Inventors: SCOTT CONSTABLE, MARK SHANAHAN, MONA VIJ, BIN XING, KRYSTOF ZMUDZINSKI
  • Publication number: 20220121470
    Abstract: In one embodiment, metadata associated with deployment of a container within an orchestration environment includes information indicating security preferences for deployment of the container within the orchestration environment, information indicating a level of communications between the container and other containers, and/or information indicating effects of execution of the container with respect to other containers. The metadata is used to select a particular node of a plurality of nodes within the orchestration environment on which to deploy the container based on the metadata.
    Type: Application
    Filed: December 23, 2021
    Publication date: April 21, 2022
    Applicant: Intel Corporation
    Inventors: Paritosh Saxena, Anjo Lucas Vahldiek-Oberwagner, Mona Vij, Kshitij A. Doshi, Carlos H. Morales, Clair Bowman, Marcela S. Melara, Michael Steiner
  • Publication number: 20220116335
    Abstract: A computing node includes network interface circuitry and processing circuitry. The processing circuitry assigns available computing resources to a plurality of slice contexts. Each slice context of the plurality includes resource allocations of the available computing resources associated with multiple communication networks. A first portion of the resource allocations is designated as dedicated resources and a second, remaining portion is designated as shared resources. A FAFO event associated with a workload is detected. The workload executes on a network slice instance (NSI) associated with a slice context of a subset of slice contexts. The configuration of the NSI is restored to a pre-FAFO event state based on reconfiguring one or both of the dedicated resources or the shared resources of the slice context based on the resource allocations of at least a second slice context in the subset of slice contexts.
    Type: Application
    Filed: December 21, 2021
    Publication date: April 14, 2022
    Inventors: Vesh Raj Sharma Banjade, Satish Chandra Jha, Ned M. Smith, S M Iftekharul Alam, Christian Maciocco, Liuyang Lily Yang, Mona Vij, Kshitij Arun Doshi, Francesc Guim Bernat, Clark Chen
  • Patent number: 11283635
    Abstract: Various approaches for memory encryption management within an edge computing system are described. In an edge computing system deployment, a computing device includes capabilities to store and manage encrypted data in memory, through processing circuitry configured to: allocate memory encryption keys according to a data isolation policy for a microservice domain, with respective keys used for encryption of respective sets of data within the memory (e.g., among different tenants or tenant groups); and, share data associated with a first microservice to a second microservice of the domain. Such sharing may be based on the communication of an encryption key, used to encrypt the data in memory, from a proxy (such as a sidecar) associated with the first microservice to a proxy associated with the second microservice; and maintaining the encrypted data within the memory, for use with the second microservice, as accessible with the communicated encryption key.
    Type: Grant
    Filed: December 20, 2019
    Date of Patent: March 22, 2022
    Assignee: Intel Corporation
    Inventors: Ned M. Smith, Kshitij Arun Doshi, Francesc Guim Bernat, Mona Vij
  • Publication number: 20220012369
    Abstract: In one embodiment, an apparatus comprises a processing circuitry to detect an occurrence of at least one of a single-stepping event or a zero-stepping event in an execution thread on an architecturally protected enclave and in response to the occurrence, implement at least one mitigation process to inhibit further occurrences of the at least one of a single-stepping event or a zero-stepping event in the architecturally protected enclave.
    Type: Application
    Filed: September 24, 2021
    Publication date: January 13, 2022
    Applicant: Intel Corporation
    Inventors: Scott Constable, Yuan Xiao, Bin Xing, Mona Vij, Mark Shanahan
  • Publication number: 20210406201
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Application
    Filed: July 3, 2021
    Publication date: December 30, 2021
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Patent number: 11055236
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Grant
    Filed: December 27, 2019
    Date of Patent: July 6, 2021
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Patent number: 11023622
    Abstract: A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.
    Type: Grant
    Filed: June 29, 2019
    Date of Patent: June 1, 2021
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Somnath Chakrabarti
  • Patent number: 11010309
    Abstract: A computer system for executing one or more software applications includes a host computer device configured to execute the one or more software applications. The computer system further includes one or more memory devices configured to cryptographically protect volatile memory of the one or more memory devices. The one or more memory devices are configured to provide access to the cryptographically protected volatile memory for the one or more software applications. The host computer device is configured to execute the one or more software applications by executing a portion of the one or more software applications associated with the cryptographically protected volatile memory using a processor of the one or more memory devices.
    Type: Grant
    Filed: August 28, 2018
    Date of Patent: May 18, 2021
    Assignee: Intel Corporation
    Inventors: Somnath Chakrabarti, Mona Vij, Matthew Hoekstra
  • Publication number: 20210110070
    Abstract: Example methods and systems are directed to reducing latency in providing trusted execution environments (TEES). Initializing a TEE includes multiple steps before the TEE starts executing. Besides workload-specific initialization, workload-independent initialization is performed, such as adding memory to the TEE. In function-as-a-service (FaaS) environments, a large portion of the TEE is workload-independent, and thus can be performed prior to receiving the workload. Certain steps performed during TEE initialization are identical for certain classes of workloads. Thus, the common parts of the TEE initialization sequence may be performed before the TEE is requested. When a TEE is requested for a workload in the class and the parts to specialize the TEE for its particular purpose are known, the final steps to initialize the TEE are performed.
    Type: Application
    Filed: December 22, 2020
    Publication date: April 15, 2021
    Inventors: Anjo Lucas Vahldiek-Oberwagner, Ravi L. Sahita, Mona Vij, Rameshkumar Illikkal, Michael Steiner, Thomas Knauth, Dmitrii Kuvaiskii, Sudha Krishnakumar, Krystof C. Zmudzinski, Vincent Scarlata, Francis McKeen
  • Publication number: 20210109870
    Abstract: Example methods and systems are directed to isolating memory in trusted execution environments (TEEs). In function-as-a-service (FaaS) environments, a client makes use of a function executing within a TEE on a FaaS server. To minimize the trusted code base (TCB) for each function, each function may be placed in a separate TEE. However, this causes the overhead of creating a TEE to be incurred for each function. As discussed herein, multiple functions may be placed in a single TEE without compromising the data integrity of each function. For example, by using a different extended page table (EPT) for each function, the virtual address spaces of the functions are kept separate and map to different, non-overlapping physical address spaces. Partial overlap may be permitted to allow functions to share some data while protecting other data. Memory for each function may be encrypted using a different encryption key.
    Type: Application
    Filed: December 23, 2020
    Publication date: April 15, 2021
    Inventors: Ravi L. Sahita, Anjo Lucas Vahldiek-Oberwagner, Teck Joo Goh, Rameshkmar Illikkal, Andrzej Kuriata, Vedvyas Shanbhogue, Mona Vij, Haidong Xia
  • Publication number: 20210111892
    Abstract: In function-as-a-service (FaaS) environments, a client makes use of a function executing within a trusted execution environment (TEE) on a FaaS server. Multiple tenants of the FaaS platform may provide functions to be executed by the FaaS platform via a gateway. Each tenant may provide code and data for any number of functions to be executed within any number of TEEs on the FaaS platform and accessed via the gateway. Additionally, each tenant may provide code and data for a single surrogate attester TEE. The client devices of the tenant use the surrogate attester TEE to attest each of the other TEEs of the tenant and establish trust with the functions in those TEEs. Once the functions have been attested, the client devices have confidence that the other TEEs of the tenant are running on the same platform as the gateway.
    Type: Application
    Filed: December 22, 2020
    Publication date: April 15, 2021
    Inventors: Anjo Lucas Vahldiek-Oberwagner, Ravi L. Sahita, Mona Vij, Dayeol Lee, Haidong Xia, Rameshkumar Illikkal, Samuel Ortiz, Kshitij Arun Doshi, Mourad Cherfaoui, Andrzej Kuriata, Teck Joo Goh
  • Patent number: 10970390
    Abstract: A processor includes a processing core to identify a code comprising a plurality of instructions to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of the first virtual memory page and a second address of the first physical memory page, store, in the cache memory, the address translation data structure comprising the first address mapping, and execute the code by retrieving the first address mapping in the address translation data structures to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of
    Type: Grant
    Filed: February 15, 2018
    Date of Patent: April 6, 2021
    Assignee: Intel Corporation
    Inventors: Francis McKeen, Bin Xing, Krystof Zmudzinski, Carlos Rozas, Mona Vij
  • Patent number: 10922088
    Abstract: Detailed herein are systems, apparatuses, and methods for a computer architecture with instruction set support to mitigate against page fault- and/or cache-based side-channel attacks. In an embodiment, an apparatus includes a decoder to decode a first instruction, the first instruction having a first field for a first opcode that indicates that execution circuitry is to set a first flag in a first register that indicates a mode of operation that redirects program flow to an exception handler upon the occurrence of an event. The apparatus further includes execution circuitry to execute the decoded first instruction to set the first flag in the first register that indicates the mode of operation and to store an address of an exception handler in a second register.
    Type: Grant
    Filed: June 29, 2018
    Date of Patent: February 16, 2021
    Assignee: Intel Corporation
    Inventors: Fangfei Liu, Bin Xing, Michael Steiner, Mona Vij, Carlos Rozas, Francis McKeen, Meltem Ozsoy, Matthew Fernandez, Krystof Zmudzinski, Mark Shanahan
  • Patent number: 10908952
    Abstract: Preemptive scheduling enclaves as disclosed herein support both cooperative and preemptive scheduling of in-enclave (IE) thread execution. These preemptive scheduling enclaves may include a scheduler configured to be executed as part of normal hardware interrupt processing by enclave threads. The scheduler identifies an IE thread to be scheduled and modifies enclave data structures so that when the enclave thread resumes processing after a hardware interrupt, the identified IE thread is executed, rather than the interrupted IE thread.
    Type: Grant
    Filed: April 21, 2017
    Date of Patent: February 2, 2021
    Assignee: INTEL CORPORATION
    Inventors: Hongliang Tian, Shoumeng Yan, Mona Vij
  • Publication number: 20200409711
    Abstract: Detailed herein are systems, apparatuses, and methods for a computer architecture with instruction set support to mitigate against page fault and/or cache-based side-channel attacks. In an embodiment, a processor includes a decoder to decode an instruction into a decoded instruction, the instruction comprising a first field that indicates an instruction pointer to a user-level event handler; and an execution unit to execute the decoded instruction to, after a swap of an instruction pointer that indicates where an event occurred from a current instruction pointer register into a user-level event handler pointer register, push the instruction pointer that indicates where the event occurred onto call stack storage, and change a current instruction pointer in the current instruction pointer register to the instruction pointer to the user-level event handler.
    Type: Application
    Filed: June 29, 2019
    Publication date: December 31, 2020
    Inventors: Scott Constable, Fangfei Liu, Bin Xing, Michael Steiner, Mona Vij, Carlos Rozas, Francis X. McKeen, Meltem Ozsoy, Matthew Fernandez, Krystof Zmudzinski, Mark Shanahan
  • Publication number: 20200142838
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Application
    Filed: December 27, 2019
    Publication date: May 7, 2020
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Patent number: 10642972
    Abstract: Methods and apparatus for extending packet processing to trusted programmable and fixed-function accelerators. Secure enclaves are created in system memory of a compute platform, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The compute platform further includes one or more hardware-based accelerators that are used by the software to offload packet processing operations. The accelerators are configured to read packet data from input queues, process the data, and output processed data to output queues, wherein the input and output queues are located in encrypted portions of memory that may be in a secure enclave or external to the secure enclaves.
    Type: Grant
    Filed: October 20, 2016
    Date of Patent: May 5, 2020
    Assignee: Intel Corporation
    Inventors: Kapil Sood, Somnath Chakrabarti, Wei Shen, Carlos V. Rozas, Mona Vij, Vincent R. Scarlata