Patents by Inventor Mona Vij

Mona Vij has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 12113902
    Abstract: In function-as-a-service (FaaS) environments, a client makes use of a function executing within a trusted execution environment (TEE) on a FaaS server. Multiple tenants of the FaaS platform may provide functions to be executed by the FaaS platform via a gateway. Each tenant may provide code and data for any number of functions to be executed within any number of TEEs on the FaaS platform and accessed via the gateway. Additionally, each tenant may provide code and data for a single surrogate attester TEE. The client devices of the tenant use the surrogate attester TEE to attest each of the other TEEs of the tenant and establish trust with the functions in those TEEs. Once the functions have been attested, the client devices have confidence that the other TEEs of the tenant are running on the same platform as the gateway.
    Type: Grant
    Filed: December 22, 2020
    Date of Patent: October 8, 2024
    Assignee: Intel Corporation
    Inventors: Anjo Lucas Vahldiek-Oberwagner, Ravi L. Sahita, Mona Vij, Dayeol Lee, Haidong Xia, Rameshkumar Illikkal, Samuel Ortiz, Kshitij Arun Doshi, Mourad Cherfaoui, Andrzej Kuriata, Teck Joo Goh
  • Publication number: 20240330466
    Abstract: Methods, apparatus, systems, and articles of manufacture to verify integrity of a model are disclosed. An example apparatus includes programmable circuitry to initialize an instance of a trusted execution environment; upload a security manifest of the trusted execution environment and a machine learning model; determine whether to store the machine learning model into a memory based on checking of the security manifest; determine whether the machine learning model is valid; and output a validation result.
    Type: Application
    Filed: May 28, 2024
    Publication date: October 3, 2024
    Inventors: Scott Douglas Constable, Marcin Andrzej Chrapek, Marcin Spoczynski, Cory Cornelius, Mona Vij, Anjo Lucas Vahldiek-Oberwagner
  • Patent number: 12093432
    Abstract: In one embodiment, an apparatus comprises a processing circuitry to detect an occurrence of at least one of a single-stepping event or a zero-stepping event in an execution thread on an architecturally protected enclave and in response to the occurrence, implement at least one mitigation process to inhibit further occurrences of the at least one of a single-stepping event or a zero-stepping event in the architecturally protected enclave.
    Type: Grant
    Filed: September 24, 2021
    Date of Patent: September 17, 2024
    Assignee: INTEL CORPORATION
    Inventors: Scott Constable, Yuan Xiao, Bin Xing, Mona Vij, Mark Shanahan
  • Publication number: 20240202314
    Abstract: Techniques and mechanisms for a processor core to execute an instruction for a hardware (HW) thread to have access to a trusted execution environment (TEE). In an embodiment, execution of the instruction includes determining whether any sibling HW thread, which is currently active, is also currently approved to access the TEE. TEE access by the HW thread is conditioned upon a requirement that any sibling HW thread is either currently inactive, is currently in the same TEE, or is currently approved to enter the TEE. In another embodiment, execution of another instruction, for the HW thread to exit the TEE, includes or otherwise results in system software being conditionally notified of an opportunity to wake up one or more sibling HW threads.
    Type: Application
    Filed: December 19, 2022
    Publication date: June 20, 2024
    Applicant: Intel Corporation
    Inventors: Mona Vij, Dmitrii Kuvaiskii, Bin Xing, Krystof Zmudzinski, Scott Constable
  • Patent number: 12013954
    Abstract: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.
    Type: Grant
    Filed: March 31, 2022
    Date of Patent: June 18, 2024
    Assignee: Intel Corporation
    Inventors: Ravi Sahita, Dror Caspi, Vedvyas Shanbhogue, Vincent Scarlata, Anjo Lucas Vahldiek-Oberwagner, Haidong Xia, Mona Vij
  • Publication number: 20240184717
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Application
    Filed: October 9, 2023
    Publication date: June 6, 2024
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Publication number: 20230409699
    Abstract: Detailed herein are examples of determining when to allow access to a trusted execution environment (TEE). For example, using TEE logic associated with software to at least in part: determine that a TEE feature is supported based at least on a value of a bit position in a data structure; and not allow a TEE entry instruction to access to a TEE when the bit position of the data structure is reserved.
    Type: Application
    Filed: September 20, 2022
    Publication date: December 21, 2023
    Inventors: Scott CONSTABLE, Ilya ALEXANDROVICH, Ittai ANATI, Simon JOHNSON, Vincent SCARLATA, Mona VIJ, Yuan XIAO, Bin XING, Krystof SMUDZINSKI
  • Patent number: 11782849
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Grant
    Filed: July 3, 2021
    Date of Patent: October 10, 2023
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Publication number: 20230205869
    Abstract: Systems, methods, and apparatuses relating efficient exception handling in trusted execution environments are described. In an embodiment, a hardware processor includes a register, a decoder, and execution circuitry. The register has a field to be set to enable an architecturally protected execution environment at one of a plurality of contexts for code in an architecturally protected enclave in memory. The decoder is to decode an instruction having a format including a field for an opcode, the opcode to indicate that the execution circuitry is to perform a context change. The execution circuitry is to perform one or more operations corresponding to the instruction, the one or more operations including changing, within the architecturally protected enclave, from a first context to a second context.
    Type: Application
    Filed: December 23, 2021
    Publication date: June 29, 2023
    Applicant: Intel Corporation
    Inventors: Scott Constable, Bin Xing, Yuan Xiao, Krystof Zmudzinski, Mona Vij, Mark Shanahan, Francis McKeen, Ittai Anati
  • Patent number: 11637687
    Abstract: Methods, apparatus, systems and articles of manufacture to determine provenance for data supply chains are disclosed. Example instructions cause a machine to at least, in response to data being generated, generate a local data object and object metadata corresponding to the data; hash the local data object; generate a hash of a label of the local data object; generate a hierarchical data structure for the data including the hash of the local data object and the hash of the label of the local data object; generate a data supply chain object including the hierarchical data structure; and transmit the data and the data supply chain object to a device that requested access to the data.
    Type: Grant
    Filed: December 20, 2019
    Date of Patent: April 25, 2023
    Assignee: Intel Corporation
    Inventors: Ned Smith, Francesc Guim Bernat, Sanjay Bakshi, Paul O'Neill, Ben McCahill, Brian A. Keating, Adrian Hoban, Kapil Sood, Mona Vij, Nilesh Jain, Rajesh Poornachandran, Trevor Cooper, Kshitij A. Doshi, Marcin Spoczynski
  • Publication number: 20230015537
    Abstract: Example methods and systems are directed to reducing latency in providing trusted execution environments (TEEs). Initializing a TEE includes multiple steps before the TEE starts executing. Besides workload-specific initialization, workload-independent initialization is performed, such as adding memory to the TEE. In function-as-a-service (FaaS) environments, a large portion of the TEE is workload-independent, and thus can be performed prior to receiving the workload. Certain steps performed during TEE initialization are identical for certain classes of workloads. Thus, the common parts of the TEE initialization sequence may be performed before the TEE is requested. When a TEE is requested for a workload in the class and the parts to specialize the TEE for its particular purpose are known, the final steps to initialize the TEE are performed.
    Type: Application
    Filed: September 22, 2022
    Publication date: January 19, 2023
    Inventors: Anjo Lucas Vahldiek-Oberwagner, Ravi L. Sahita, Mona Vij, Rameshkumar Illikkal, Michael Steiner, Thomas Knauth, Dmitrii Kuvaiskii, Sudha Krishnakumar, Krystof C. Zmudzinski, Vincent Scarlata, Francis McKeen
  • Publication number: 20220272012
    Abstract: Examples described herein relate to dynamically composing an application as a monolithic implementation or two or more microservices based on telemetry data. In some examples, based on composition of an application as two or more microservices, at least one connection between microservices based on telemetry data is adjusted. In some examples, a switch can be configured to perform forwarding of communications between microservices based on the adjusted at least one connection between microservices.
    Type: Application
    Filed: May 13, 2022
    Publication date: August 25, 2022
    Inventors: S M Iftekharul ALAM, Ned SMITH, Vesh Raj SHARMA BANJADE, Satish C. JHA, Christian MACIOCCO, Mona VIJ, Kshitij A. DOSHI, Srikathyayani SRIKANTESWARA, Francesc GUIM BERNAT, Maruti GUPTA HYDE, Alexander BACHMUTSKY
  • Publication number: 20220239507
    Abstract: Various approaches for memory encryption management within an edge computing system are described. In an edge computing system deployment, a computing device includes capabilities to store and manage encrypted data in memory, through processing circuitry configured to: allocate memory encryption keys according to a data isolation policy for a microservice domain, with respective keys used for encryption of respective sets of data within the memory (e.g., among different tenants or tenant groups); and, share data associated with a first microservice to a second microservice of the domain. Such sharing may be based on the communication of an encryption key, used to encrypt the data in memory, from a proxy (such as a sidecar) associated with the first microservice to a proxy associated with the second microservice; and maintaining the encrypted data within the memory, for use with the second microservice, as accessible with the communicated encryption key.
    Type: Application
    Filed: February 10, 2022
    Publication date: July 28, 2022
    Inventors: Ned M. Smith, Kshitij Arun Doshi, Francesc Guim Bernat, Mona Vij
  • Publication number: 20220222358
    Abstract: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.
    Type: Application
    Filed: March 31, 2022
    Publication date: July 14, 2022
    Applicant: Intel Corporation
    Inventors: Ravi Sahita, Dror Caspi, Vedvyas Shanbhogue, Vincent Scarlata, Anjo Lucas Vahldiek-Oberwagner, Haidong Xia, Mona Vij
  • Publication number: 20220207187
    Abstract: Systems, methods, and apparatuses relating to an instruction that allows a trusted execution environment to react to an asynchronous exit are described. In one embodiment, a hardware processor includes a register comprising a field, that when set, is to enable an architecturally protected execution environment for code in an architecturally protected enclave in memory, a decoder circuit to decode a single instruction comprising an opcode into a decoded instruction, the opcode to indicate an execution circuit is to invoke a handler to handle an asynchronous exit from execution of the code in the architecturally protected enclave and then resume execution of the code in the architecturally protected enclave from where the asynchronous exit occurred, and the execution circuit to respond to the decoded instruction as specified by the opcode.
    Type: Application
    Filed: December 26, 2020
    Publication date: June 30, 2022
    Inventors: SCOTT CONSTABLE, MARK SHANAHAN, MONA VIJ, BIN XING, KRYSTOF ZMUDZINSKI
  • Publication number: 20220121470
    Abstract: In one embodiment, metadata associated with deployment of a container within an orchestration environment includes information indicating security preferences for deployment of the container within the orchestration environment, information indicating a level of communications between the container and other containers, and/or information indicating effects of execution of the container with respect to other containers. The metadata is used to select a particular node of a plurality of nodes within the orchestration environment on which to deploy the container based on the metadata.
    Type: Application
    Filed: December 23, 2021
    Publication date: April 21, 2022
    Applicant: Intel Corporation
    Inventors: Paritosh Saxena, Anjo Lucas Vahldiek-Oberwagner, Mona Vij, Kshitij A. Doshi, Carlos H. Morales, Clair Bowman, Marcela S. Melara, Michael Steiner
  • Publication number: 20220116335
    Abstract: A computing node includes network interface circuitry and processing circuitry. The processing circuitry assigns available computing resources to a plurality of slice contexts. Each slice context of the plurality includes resource allocations of the available computing resources associated with multiple communication networks. A first portion of the resource allocations is designated as dedicated resources and a second, remaining portion is designated as shared resources. A FAFO event associated with a workload is detected. The workload executes on a network slice instance (NSI) associated with a slice context of a subset of slice contexts. The configuration of the NSI is restored to a pre-FAFO event state based on reconfiguring one or both of the dedicated resources or the shared resources of the slice context based on the resource allocations of at least a second slice context in the subset of slice contexts.
    Type: Application
    Filed: December 21, 2021
    Publication date: April 14, 2022
    Inventors: Vesh Raj Sharma Banjade, Satish Chandra Jha, Ned M. Smith, S M Iftekharul Alam, Christian Maciocco, Liuyang Lily Yang, Mona Vij, Kshitij Arun Doshi, Francesc Guim Bernat, Clark Chen
  • Patent number: 11283635
    Abstract: Various approaches for memory encryption management within an edge computing system are described. In an edge computing system deployment, a computing device includes capabilities to store and manage encrypted data in memory, through processing circuitry configured to: allocate memory encryption keys according to a data isolation policy for a microservice domain, with respective keys used for encryption of respective sets of data within the memory (e.g., among different tenants or tenant groups); and, share data associated with a first microservice to a second microservice of the domain. Such sharing may be based on the communication of an encryption key, used to encrypt the data in memory, from a proxy (such as a sidecar) associated with the first microservice to a proxy associated with the second microservice; and maintaining the encrypted data within the memory, for use with the second microservice, as accessible with the communicated encryption key.
    Type: Grant
    Filed: December 20, 2019
    Date of Patent: March 22, 2022
    Assignee: Intel Corporation
    Inventors: Ned M. Smith, Kshitij Arun Doshi, Francesc Guim Bernat, Mona Vij
  • Publication number: 20220012369
    Abstract: In one embodiment, an apparatus comprises a processing circuitry to detect an occurrence of at least one of a single-stepping event or a zero-stepping event in an execution thread on an architecturally protected enclave and in response to the occurrence, implement at least one mitigation process to inhibit further occurrences of the at least one of a single-stepping event or a zero-stepping event in the architecturally protected enclave.
    Type: Application
    Filed: September 24, 2021
    Publication date: January 13, 2022
    Applicant: Intel Corporation
    Inventors: Scott Constable, Yuan Xiao, Bin Xing, Mona Vij, Mark Shanahan
  • Publication number: 20210406201
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Application
    Filed: July 3, 2021
    Publication date: December 30, 2021
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati