Patents by Inventor Mona Vij

Mona Vij has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10642972
    Abstract: Methods and apparatus for extending packet processing to trusted programmable and fixed-function accelerators. Secure enclaves are created in system memory of a compute platform, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The compute platform further includes one or more hardware-based accelerators that are used by the software to offload packet processing operations. The accelerators are configured to read packet data from input queues, process the data, and output processed data to output queues, wherein the input and output queues are located in encrypted portions of memory that may be in a secure enclave or external to the secure enclaves.
    Type: Grant
    Filed: October 20, 2016
    Date of Patent: May 5, 2020
    Assignee: Intel Corporation
    Inventors: Kapil Sood, Somnath Chakrabarti, Wei Shen, Carlos V. Rozas, Mona Vij, Vincent R. Scarlata
  • Publication number: 20200136799
    Abstract: Methods, apparatus, systems and articles of manufacture to determine provenance for data supply chains are disclosed. Example instructions cause a machine to at least, in response to data being generated, generate a local data object and object metadata corresponding to the data; hash the local data object; generate a hash of a label of the local data object; generate a hierarchical data structure for the data including the hash of the local data object and the hash of the label of the local data object; generate a data supply chain object including the hierarchical data structure; and transmit the data and the data supply chain object to a device that requested access to the data.
    Type: Application
    Filed: December 20, 2019
    Publication date: April 30, 2020
    Inventors: Ned Smith, Francesc Guim Bernat, Sanjay Bakshi, Paul O'Neill, Ben McCahill, Brian A. Keating, Adrian Hoban, Kapil Sood, Mona Vij, Nilesh Jain, Rajesh Poornachandran, Trevor Cooper, Kshitij A. Doshi, Marcin Spoczynski
  • Publication number: 20200127980
    Abstract: Various approaches for memory encryption management within an edge computing system are described. In an edge computing system deployment, a computing device includes capabilities to store and manage encrypted data in memory, through processing circuitry configured to: allocate memory encryption keys according to a data isolation policy for a microservice domain, with respective keys used for encryption of respective sets of data within the memory (e.g., among different tenants or tenant groups); and, share data associated with a first microservice to a second microservice of the domain. Such sharing may be based on the communication of an encryption key, used to encrypt the data in memory, from a proxy (such as a sidecar) associated with the first microservice to a proxy associated with the second microservice; and maintaining the encrypted data within the memory, for use with the second microservice, as accessible with the communicated encryption key.
    Type: Application
    Filed: December 20, 2019
    Publication date: April 23, 2020
    Inventors: Ned M. Smith, Kshitij Arun Doshi, Francesc Guim Bernat, Mona Vij
  • Patent number: 10558588
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Grant
    Filed: July 17, 2017
    Date of Patent: February 11, 2020
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Patent number: 10540291
    Abstract: Translation lookaside buffer (TLB) tracking and managing technologies are described. A processing device comprises a translation lookaside buffer (TLB) and a processing core to execute a virtual machine monitor (VMM), the VMM to manage a virtual machine (VM) including virtual processors. The processing core to execute, via the VM, a plurality of conversion instructions on at least one of the virtual processors to convert a plurality of non-secure pages to a plurality of secure pages. The processing core also to execute, via the VM, one or more allocation instructions on the at least one of the virtual processors to allocate at least one secure page of the plurality of secure pages, execution of the one or more allocation instructions to include determining whether the TLB is cleared of mappings to the at least one secure page prior to allocating the at least one secure page.
    Type: Grant
    Filed: May 10, 2017
    Date of Patent: January 21, 2020
    Assignee: Intel Corporation
    Inventors: Krystof C. Zmudzinski, Carlos V. Rozas, Francis X. McKeen, Rebekah M. Leslie-Hurd, Meltem Ozsoy, Somnath Chakrabarti, Mona Vij
  • Patent number: 10534724
    Abstract: Instructions and logic support suspending and resuming migration of enclaves in a secure enclave page cache (EPC). An EPC stores a secure domain control structure (SDCS) in storage accessible by an enclave for a management process, and by a domain of enclaves. A second processor checks if a corresponding version array (VA) page is bound to the SDCS, and if so: increments a version counter in the SDCS for the page, performs an authenticated encryption of the page from the EPC using the version counter in the SDCS, and writes the encrypted page to external memory. A second processor checks if a corresponding VA page is bound to a second SDCS of the second processor, and if so: performs an authenticated decryption of the page using a version counter in the second SDCS, and loads the decrypted page to the EPC in the second processor if authentication passes.
    Type: Grant
    Filed: December 24, 2015
    Date of Patent: January 14, 2020
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Ilya Alexandrovich, Gilbert Neiger, Francis X. McKeen, Ittai Anati, Vedvyas Shanbhogue, Mona Vij, Rebekah Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Vincent R. Scarlata, Simon P. Johnson
  • Patent number: 10528721
    Abstract: Methods and apparatus for implemented trusted packet processing for multi-domain separatization and security. Secure enclaves are created in system memory of a compute platform configured to support a virtualized execution environment including a plurality of virtual machines (VMs) or containers, each secure enclave occupying a respective protected portion of the system memory, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The software in the secure enclaves is then executed to perform the packet processing operations.
    Type: Grant
    Filed: October 20, 2016
    Date of Patent: January 7, 2020
    Assignee: Intel Corporation
    Inventors: Kapil Sood, Somnath Chakrabarti, Wei Shen, Carlos V. Rozas, Mona Vij, Vincent R. Scarlata
  • Publication number: 20200004552
    Abstract: Detailed herein are systems, apparatuses, and methods for a computer architecture with instruction set support to mitigate against page fault- and/or cache-based side-channel attacks. In an embodiment, an apparatus includes a decoder to decode a first instruction, the first instruction having a first field for a first opcode that indicates that execution circuitry is to set a first flag in a first register that indicates a mode of operation that redirects program flow to an exception handler upon the occurrence of an event. The apparatus further includes execution circuitry to execute the decoded first instruction to set the first flag in the first register that indicates the mode of operation and to store an address of an exception handler in a second register.
    Type: Application
    Filed: June 29, 2018
    Publication date: January 2, 2020
    Inventors: Fangfei LIU, Bin XING, Michael STEINER, Mona VIJ, Carlos ROZAS, Francis MCKEEN, Meltem OZSOY, Matthew FERNANDEZ, Krystof ZMUDZINSKI, Mark SHANAHAN
  • Publication number: 20190332427
    Abstract: Preemptive scheduling enclaves as disclosed herein support both cooperative and preemptive scheduling of in-enclave (IE) thread execution. These preemptive scheduling enclaves may include a scheduler configured to be executed as part of normal hardware interrupt processing by enclave threads. The scheduler identifies an IE thread to be scheduled and modifies enclave data structures so that when the enclave thread resumes processing after a hardware interrupt, the identified IE thread is executed, rather than the interrupted IE thread.
    Type: Application
    Filed: April 21, 2017
    Publication date: October 31, 2019
    Applicant: INTEL CORPORATION
    Inventors: Hongliang TIAN, Shoumeng YAN, Mona VIJ
  • Publication number: 20190325168
    Abstract: A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.
    Type: Application
    Filed: June 29, 2019
    Publication date: October 24, 2019
    Inventors: Carlos V. Rozas, Mona Vij, Somnath Chakrabarti
  • Publication number: 20190251257
    Abstract: A processor includes a processing core to identify a code comprising a plurality of instructions to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of the first virtual memory page and a second address of the first physical memory page, store, in the cache memory, the address translation data structure comprising the first address mapping, and execute the code by retrieving the first address mapping in the address translation data structures to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of
    Type: Application
    Filed: February 15, 2018
    Publication date: August 15, 2019
    Inventors: Francis McKeen, Bin Xing, Krystof Zmudzinski, Carlos Rozas, Mona Vij
  • Patent number: 10346641
    Abstract: A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.
    Type: Grant
    Filed: September 23, 2016
    Date of Patent: July 9, 2019
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Somnath Chakrabarti
  • Patent number: 10338957
    Abstract: A secure migration enclave is provided to identify a launch of a particular virtual machine on a host computing system, where the particular virtual machine is launched to include a secure quoting enclave to perform an attestation of one or more aspects of the virtual machine. A root key for the particular virtual machine is generated using the secure migration enclave hosted on the host computing system for use in association with provisioning the secure quoting enclave with an attestation key to be used in the attestation. The migration enclave registers the root key with a virtual machine registration service.
    Type: Grant
    Filed: December 27, 2016
    Date of Patent: July 2, 2019
    Assignee: Intel Corporation
    Inventors: Vincent R. Scarlata, Carlos V. Rozas, Simon P. Johnson, Francis X. McKeen, Mona Vij, Somnath Chakrabarti, Brandon Baker, Ittai Anati, Ilya Alexandrovich
  • Patent number: 10263988
    Abstract: A processor of an aspect includes a decode unit to decode an instruction. The instruction to indicate a first structure in a protected container memory and to indicate a second structure in the protected container memory. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine whether a status indicator is configured to allow at least one key to be exchanged between the first and second structures, and is to exchange the at least one key between the first and second structures when the status indicator is configured to allow the at least one key to be exchanged between the first and second structures.
    Type: Grant
    Filed: July 2, 2016
    Date of Patent: April 16, 2019
    Assignee: Intel Corporation
    Inventors: Mona Vij, Somnath Chakrabarti, Carlos V. Rozas, Asit K. Mallick
  • Publication number: 20190065406
    Abstract: In a method for protecting extra-enclave communications, a data processing system allocates a portion of random access memory (RAM) to a server application that is to execute at a low privilege level, and the data processing system creates an enclave comprising the portion of RAM allocated to the server application. The enclave protects the RAM in the enclave from access by software that executes at a high privilege level. The server application obtains a platform attestation report (PAR) for the enclave from the processor. The PAR includes attestation data from the processor attesting to integrity of the enclave. The server application also generates a public key certificate for the server application. The public key certificate comprises the attestation data. The server application utilizes the public key certificate to establish a transport layer security (TLS) communication channel with a client application outside of the enclave. Other embodiments are described and claimed.
    Type: Application
    Filed: October 30, 2018
    Publication date: February 28, 2019
    Inventors: Michael Steiner, Thomas Knauth, Li Lei, Bin Xing, Mona Vij, Somnath Chakrabarti
  • Publication number: 20190042478
    Abstract: A computer system for executing one or more software applications includes a host computer device configured to execute the one or more software applications. The computer system further includes one or more memory devices configured to cryptographically protect volatile memory of the one or more memory devices. The one more memory devices are configured to provide access to the cryptographically protected volatile memory for the one or more software applications. The host computer device is configured to execute the one or more software applications by executing a portion of the one or more software applications associated with the cryptographically protected volatile memory using a processor of the one or more memory devices.
    Type: Application
    Filed: August 28, 2018
    Publication date: February 7, 2019
    Inventors: Somnath Chakrabarti, Mona Vij, Matthew Hoekstra
  • Patent number: 10152350
    Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine that a secure domain has been created on a device, where keys are required to access the secure domain, obtain the keys that are required to access the secure domain from a network element, and encrypt the keys and store the encrypted keys on the device. In an example, only the secure domain can decrypt the encrypted keys and the device is a virtual machine.
    Type: Grant
    Filed: July 1, 2016
    Date of Patent: December 11, 2018
    Assignee: Intel Corporation
    Inventors: Somnath Chakrabarti, Mona Vij, Carlos V. Rozas, Brandon Baker, Vincent R. Scarlata, Francis X. McKeen, Simon P. Johnson
  • Publication number: 20180329829
    Abstract: Translation lookaside buffer (TLB) tracking and managing technologies are described. A processing device comprises a translation lookaside buffer (TLB) and a processing core to execute a virtual machine monitor (VMM), the VMM to manage a virtual machine (VM) including virtual processors. The processing core to execute, via the VM, a plurality of conversion instructions on at least one of the virtual processors to convert a plurality of non-secure pages to a plurality of secure pages. The processing core also to execute, via the VM, one or more allocation instructions on the at least one of the virtual processors to allocate at least one secure page of the plurality of secure pages, execution of the one or more allocation instructions to include determining whether the TLB is cleared of mappings to the at least one secure page prior to allocating the at least one secure page.
    Type: Application
    Filed: May 10, 2017
    Publication date: November 15, 2018
    Inventors: Krystof C. Zmudzinski, Carlos V. Rozas, Francis X. McKeen, Rebekah M. Leslie-Hurd, Meltem Ozsoy, Somnath Chakrabarti, Mona Vij
  • Patent number: 10089447
    Abstract: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.
    Type: Grant
    Filed: June 13, 2017
    Date of Patent: October 2, 2018
    Assignee: Intel Corporation
    Inventors: Prashant Pandey, Mona Vij, Somnath Chakrabarti, Krystof C. Zmudzinski
  • Publication number: 20180183580
    Abstract: A secure migration enclave is provided to identify a launch of a particular virtual machine on a host computing system, where the particular virtual machine is launched to include a secure quoting enclave to perform an attestation of one or more aspects of the virtual machine. A root key for the particular virtual machine is generated using the secure migration enclave hosted on the host computing system for use in association with provisioning the secure quoting enclave with an attestation key to be used in the attestation. The migration enclave registers the root key with a virtual machine registration service.
    Type: Application
    Filed: December 27, 2016
    Publication date: June 28, 2018
    Inventors: Vincent R. Scarlata, Carlos V. Rozas, Simon P. Johnson, Francis X. McKeen, Mona Vij, Somnath Chakrabarti, Brandon Baker, Ittai Anati, Ilya Alexandrovich