Patents by Inventor Mona Vij

Mona Vij has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20180183578
    Abstract: A secure key manager enclave is provided on a host computing system to send an attestation quote to a secure key store system identifying attributes of the key manager enclave and signed by a hardware-based key of the host computing system to attest to trustworthiness of the secure key manager enclave. The secure key manager enclave receives a request to provide a root key for a particular virtual machine to be run on the host computing system, generates a secure data structure in secure memory of the host computing system to be associated with the particular virtual machine, and provisions the root key in the secure data structure using the key manager enclave, where the key manager enclave is to have privileged access to the secure data structure.
    Type: Application
    Filed: December 27, 2016
    Publication date: June 28, 2018
    Applicant: Intel Corporation
    Inventors: Somnath Chakrabarti, Vincent R. Scarlata, Mona Vij, Carlos V. Rozas, Ilya Alexandrovich, Simon P. Johnson
  • Publication number: 20180114012
    Abstract: Methods and apparatus for implemented trusted packet processing for multi-domain separatization and security. Secure enclaves are created in system memory of a compute platform configured to support a virtualized execution environment including a plurality of virtual machines (VMs) or containers, each secure enclave occupying a respective protected portion of the system memory, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The software in the secure enclaves is then executed to perform the packet processing operations.
    Type: Application
    Filed: October 20, 2016
    Publication date: April 26, 2018
    Inventors: Kapil Sood, Somnath Chakrabarti, Wei Shen, Carlos V. Rozas, Mona Vij, Vincent R. Scarlata
  • Publication number: 20180114013
    Abstract: Methods and apparatus for extending packet processing to trusted programmable and fixed-function accelerators. Secure enclaves are created in system memory of a compute platform, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The compute platform further includes one or more hardware-based accelerators that are used by the software to offload packet processing operations. The accelerators are configured to read packet data from input queues, process the data, and output processed data to output queues, wherein the input and output queues are located in encrypted portions of memory that may be in a secure enclave or external to the secure enclaves.
    Type: Application
    Filed: October 20, 2016
    Publication date: April 26, 2018
    Inventors: Kapil Sood, Somnath Chakrabarti, Wei Shen, Carlos V. Rozas, Mona Vij, Vincent R. Scarlata
  • Patent number: 9942035
    Abstract: A processor to support platform migration of secure enclaves is disclosed. In one embodiment, the processor includes a memory controller unit to access secure enclaves and a processor core coupled to the memory controller unit. The processor core to identify a control structure associated with a secure enclave. The control structure comprises a plurality of data slots and keys associated with a first platform comprising the memory controller unit and the processor core. A version of data from the secure enclave is associated with the plurality of data slots. Migratable keys are generated as a replacement for the keys associated with the control structure. The migratable keys control access to the secure enclave. Thereafter, the control structure is migrated to a second platform to enable access to the secure enclave on the second platform.
    Type: Grant
    Filed: August 18, 2015
    Date of Patent: April 10, 2018
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. McKeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich
  • Publication number: 20180097809
    Abstract: Particular embodiments described herein provide for receiving a request from a first cloud component in a cloud network, wherein the request is to access a key and the key allows the first cloud component to access located trusted execution environment of a second cloud component in the cloud network and allow the request on the condition that the first cloud component is authenticated. A more specific example includes determining a type for the first cloud component, and comparing the determined type of the first cloud component with a component type associated with the key. The example may also include blocking the request if the determined type of the first cloud component does not match the component type associated with the key.
    Type: Application
    Filed: September 30, 2016
    Publication date: April 5, 2018
    Applicant: Intel Corporation
    Inventors: Somnath Chakrabarti, Mona Vij, Carlos V. Rozas, Brandon Baker, Vincent R. Scarlata, Malini K. Bhandaru, Ning Sun, Jun Nakajima, Francis X. McKeen, Simon P. Johnson
  • Publication number: 20180089468
    Abstract: A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.
    Type: Application
    Filed: September 23, 2016
    Publication date: March 29, 2018
    Applicant: Intel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Somnath Chakrabarti
  • Patent number: 9870467
    Abstract: In an embodiment, at least one machine-readable storage medium includes instructions that when executed enable a system to receive, at a special library of a parent process located outside of a parent protected region of the parent process, from the parent protected region of the parent process, a call to create a child process and responsive to the call received at the special library, issue by the special library a first request and a second request. The first request is to execute, by a processor, a non-secure instruction to create the child process. The second request is to execute, by the processor, a first secure instruction to create a child protected region within the child process. Responsive to the first request the child process is to be created and responsive to the second request the child protected region is to be created. Other embodiments are described and claimed.
    Type: Grant
    Filed: March 27, 2015
    Date of Patent: January 16, 2018
    Assignee: Intel Corporation
    Inventors: Prashant Pandey, Mona Vij, Somnath Chakrabarti, Krystof C. Zmudzinski
  • Publication number: 20180004683
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Application
    Filed: July 17, 2017
    Publication date: January 4, 2018
    Applicant: lntel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Publication number: 20180007023
    Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine that a secure domain has been created on a device, where keys are required to access the secure domain, obtain the keys that are required to access the secure domain from a network element, and encrypt the keys and store the encrypted keys on the device. In an example, only the secure domain can decrypt the encrypted keys and the device is a virtual machine.
    Type: Application
    Filed: July 1, 2016
    Publication date: January 4, 2018
    Applicant: Intel Corporation
    Inventors: Somnath Chakrabarti, Mona Vij, Carlos V. Rozas, Brandon Baker, Vincent R. Scarlata, Francis X. McKeen, Simon P. Johnson
  • Publication number: 20180006809
    Abstract: Particular embodiments described herein provide for an electronic device that can be configured to store data in a secure domain in a cloud network, create encryption keys, where each encryption key is to provide a different type of access to the data, and store the encryption keys in a secure domain key store in the cloud network. In an example, each encryption key provides access to a different version of the data. In another example, a counter engine stores the location of each version of the data in the cloud network.
    Type: Application
    Filed: July 1, 2016
    Publication date: January 4, 2018
    Applicant: Intel Corporation
    Inventors: Vincent R. Scarlata, Francis X. McKeen, Carlos V. Rozas, Simon P. Johnson, Bo Zhang, Mona Vij, Brandon Baker, Mohan J. Kumar, Asit K. Mallick, Mark A. Gentry, Somnath Chakrabarti
  • Publication number: 20180007051
    Abstract: A processor of an aspect includes a decode unit to decode an instruction. The instruction to indicate a first structure in a protected container memory and to indicate a second structure in the protected container memory. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine whether a status indicator is configured to allow at least one key to be exchanged between the first and second structures, and is to exchange the at least one key between the first and second structures when the status indicator is configured to allow the at least one key to be exchanged between the first and second structures.
    Type: Application
    Filed: July 2, 2016
    Publication date: January 4, 2018
    Applicant: Intel Corporation
    Inventors: Mona Vij, Somnath Chakrabarti, Carlos V. Rozas, Asit K. Mallick
  • Publication number: 20170286645
    Abstract: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.
    Type: Application
    Filed: June 13, 2017
    Publication date: October 5, 2017
    Inventors: Prashant Pandey, Mona Vij, Somnath Chakrabarti, Krystof C. Zmudzinski
  • Patent number: 9716710
    Abstract: Technologies for secure access to platform security services include a computing device having a processor and a security engine. The computing device establishes a platform services enclave in a virtual machine of the computing device using secure enclave support of the processor. The platform services enclave receives a platform services request from an application enclave via a first authenticated session and transmits the platform services request to a virtual security engine established by a host environment via a second authenticated session. The first and second authenticated sessions may be authenticated by report-based attestation and quote-based attestation, respectively. The virtual security engine transmits the platform services request to the security engine via a long-term pairing session established by the virtual security engine with the security engine. The security engine performs the platform services request using hardware resources shared with other platform services enclaves.
    Type: Grant
    Filed: June 26, 2015
    Date of Patent: July 25, 2017
    Assignee: Intel Corporation
    Inventors: Mona Vij, Carlos V. Rozas, Vincent R. Scarlata, Francis X. McKeen, Bo Zhang
  • Patent number: 9710622
    Abstract: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.
    Type: Grant
    Filed: February 23, 2015
    Date of Patent: July 18, 2017
    Assignee: Intel Corporation
    Inventors: Prashant Pandey, Mona Vij, Somnath Chakrabarti, Krystof C. Zmudzinski
  • Patent number: 9710401
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Grant
    Filed: June 26, 2015
    Date of Patent: July 18, 2017
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. McKeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Publication number: 20170054557
    Abstract: A processor to support platform migration of secure enclaves is disclosed. In one embodiment, the processor includes a memory controller unit to access secure enclaves and a processor core coupled to the memory controller unit. The processor core to identify a control structure associated with a secure enclave. The control structure comprises a plurality of data slots and keys associated with a first platform comprising the memory controller unit and the processor core. A version of data from the secure enclave is associated with the plurality of data slots. Migratable keys are generated as a replacement for the keys associated with the control structure. The migratable keys control access to the secure enclave. Thereafter, the control structure is migrated to a second platform to enable access to the secure enclave on the second platform.
    Type: Application
    Filed: August 18, 2015
    Publication date: February 23, 2017
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. McKeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich
  • Publication number: 20160378688
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Application
    Filed: June 26, 2015
    Publication date: December 29, 2016
    Applicant: Intel Corporation
    Inventors: CARLOS V. ROZAS, MONA VIJ, REBEKAH M. LESLIE-HURD, KRYSTOF C. ZMUDZINSKI, SOMNATH CHAKRABARTI, FRANCIS X. MCKEEN, VINCENT R. SCARLATA, SIMON P. JOHNSON, ILYA ALEXANDROVICH, GILBERT NEIGER, VEDVYAS SHANBHOGUE, ITTAI ANATI
  • Publication number: 20160381005
    Abstract: Technologies for secure access to platform security services include a computing device having a processor and a security engine. The computing device establishes a platform services enclave in a virtual machine of the computing device using secure enclave support of the processor. The platform services enclave receives a platform services request from an application enclave via a first authenticated session and transmits the platform services request to a virtual security engine established by a host environment via a second authenticated session. The first and second authenticated sessions may be authenticated by report-based attestation and quote-based attestation, respectively. The virtual security engine transmits the platform services request to the security engine via a long-term pairing session established by the virtual security engine with the security engine. The security engine performs the platform services request using hardware resources shared with other platform services enclaves.
    Type: Application
    Filed: June 26, 2015
    Publication date: December 29, 2016
    Inventors: Mona Vij, Carlos V. Rozas, Vincent R. Scarlata, Francis X. McKeen, Bo Zhang
  • Publication number: 20160283409
    Abstract: In an embodiment, at least one machine-readable storage medium includes instructions that when executed enable a system to receive, at a special library of a parent process located outside of a parent protected region of the parent process, from the parent protected region of the parent process, a call to create a child process and responsive to the call received at the special library, issue by the special library a first request and a second request. The first request is to execute, by a processor, a non-secure instruction to create the child process. The second request is to execute, by the processor, a first secure instruction to create a child protected region within the child process. Responsive to the first request the child process is to be created and responsive to the second request the child protected region is to be created. Other embodiments are described and claimed.
    Type: Application
    Filed: March 27, 2015
    Publication date: September 29, 2016
    Inventors: Prashant Pandey, Mona Vij, Somnath Chakrabarti, Krystof C. Zmudzinski
  • Publication number: 20160246720
    Abstract: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.
    Type: Application
    Filed: February 23, 2015
    Publication date: August 25, 2016
    Inventors: Prashant Pandey, Mona Vij, Somnath Chakrabarti, Krystof C. Zmudzinski