Abstract: An internet service provider (ISP) is configured to analyze data sent by a user to determine a subscriber account associated with the data and a user associated with the data. A database is then queried to determine the number of users of the subscriber account, with a number above a threshold indicating a likely theft of service. This automatic process is accompanied by automated messaging to the user with information as to the measures taken and remedial options. The messaging may be different dependent on whether the user is deemed to be an authorized user having subscriber account administration rights.

Abstract: In an embodiment, a device interrupt manager may be configured to receive an interrupt from a device that is assigned to a guest. The device interrupt manager may be configured to transmit an operation targeted to a memory location in a system memory to record the interrupt for a virtual processor within the guest, wherein the interrupt is to be delivered to the targeted virtual processor. In an embodiment, a virtual machine manager may be configured to detect that an interrupt has been recorded by the device interrupt manager for a virtual processor that is not currently executing. The virtual machine manager may be configured to schedule the virtual processor for execution on a hardware processor, or may prioritize the virtual processor for scheduling, in response to the interrupt.

Abstract: In an embodiment, a device interrupt manager may be configured to receive an interrupt from a device that is assigned to a guest. The device interrupt manager may be configured to transmit an operation targeted to a memory location in a system memory to record the interrupt for a virtual processor within the guest, wherein the interrupt is to be delivered to the targeted virtual processor. In an embodiment, a virtual machine manager may be configured to detect that an interrupt has been recorded by the device interrupt manager for a virtual processor that is not currently executing. The virtual machine manager may be configured to schedule the virtual processor for execution on a hardware processor, or may prioritize the virtual processor for scheduling, in response to the interrupt.

Abstract: In an embodiment, a device interrupt manager may be configured to receive an interrupt from a device that is assigned to a guest. The device interrupt manager may be configured to transmit an operation targeted to a memory location in a system memory to record the interrupt for a virtual processor within the guest, wherein the interrupt is to be delivered to the targeted virtual processor. In an embodiment, a virtual machine manager may be configured to detect that an interrupt has been recorded by the device interrupt manager for a virtual processor that is not currently executing. The virtual machine manager may be configured to schedule the virtual processor for execution on a hardware processor, or may prioritize the virtual processor for scheduling, in response to the interrupt.

Abstract: A memory management unit (MMU) is disclosed for managing a memory storing data arranged within a plurality of memory pages. The MMU includes a security check unit (SCU) receiving a linear address generated during execution of a current instruction. The linear address has a corresponding physical address residing within a selected memory page. The SCU uses the linear address to access one or more security attribute data structures located in the memory to obtain a security attribute of the selected memory page. The SCU compares a numerical value conveyed by a security attribute of the current instruction to a numerical value conveyed by the security attribute of the selected memory page, and produces an output signal dependent upon a result of the comparison. The MMU accesses the selected memory page dependent upon the output signal.

Abstract: In an embodiment, a guest interrupt control unit in a hardware processor may be configured to detect that an interrupt has been recorded in a memory location corresponding to a virtual processor, wherein the interrupt is targeted at the virtual processor. In response to the virtual processor being active on the hardware processor, the guest interrupt control unit is configured to provide the interrupt to the guest that includes the virtual processor. In an embodiment, a processor is configured to execute instructions from a guest, wherein the processor is configured to detect an instruction that accesses interrupt controller state data associated with a virtual processor in the guest, and wherein the processor is configured to access a memory location that stores interrupt controller state data corresponding to the virtual processor in response to the instruction.

Abstract: In an embodiment, a device interrupt manager may be configured to receive an interrupt from a device that is assigned to a guest. The device interrupt manager may be configured to transmit an operation targeted to a memory location in a system memory to record the interrupt for a virtual processor within the guest, wherein the interrupt is to be delivered to the targeted virtual processor. In an embodiment, a virtual machine manager may be configured to detect that an interrupt has been recorded by the device interrupt manager for a virtual processor that is not currently executing. The virtual machine manager may be configured to schedule the virtual processor for execution on a hardware processor, or may prioritize the virtual processor for scheduling, in response to the interrupt.

Abstract: A method and apparatus for restricting the execution of security sensitive instructions. A first security identification (ID) is associated with each of a plurality of instructions or a set of instructions that are to be executed by a processor. Software code running on the processor requests to execute at least one of the plurality of instructions or set of instructions. The processor obtains a second security ID associated with the software code running thereon and compares the second security ID with the first security ID. The processor executes the requested instruction or set of instructions providing that the second security ID matches the first security ID.

Abstract: A method and an apparatus for performing an I/O device access using targeted security. A software object is executed. A security level for the software object is established. A multi-table input/output (I/O) space access is performed using at least one of the security levels. The function of the object is executed.

Abstract: A method and an apparatus for performing a virtual address based memory access. A software object is executed. A security level for the software object is established. A virtual address based memory access is performed using at least one of the security levels. The function of the object is executed based upon the virtual address based memory access.

Abstract: A method and apparatus for selectively executing an I/O instruction. The method includes creating an I/O permission bitmap in a memory and receiving an I/O port number and a security context identification (SCID) value. The method also includes using the SCID value and the I/O port number to access the I/O permission bitmap stored to obtain a permission bit corresponding to the I/O port and executing the I/O instruction dependent upon a value of the permission bit corresponding to the I/O port. The I/O permission bitmap includes a plurality of permission bits. Each of the permission bits corresponds to a different one of a plurality of I/O ports. Each of the permission bits has a value indicating whether access to the corresponding I/O port is allowed. The I/O port number indicates the I/O port referenced by the I/O instruction. The SCID value indicates a security context level of a memory location including the I/O instruction.

Abstract: A method and system for handling a security exception. The method includes creating a security exception stack frame in secure memory at a base address. The method also includes writing a faulting code sequence address and one or more register values into the security exception stack frame, and executing a plurality of security exception instructions.

Abstract: A host bridge is described including a memory controller and a security check unit. The memory controller is adapted for coupling to a memory storing data arranged within a multiple memory pages. The memory controller receives memory access signals (e.g., during a memory access), and responds to the memory access signals by accessing the memory. The security check unit receives the memory access signals, wherein the memory access signals convey a physical address within a target memory page. The security check unit uses the physical address to access one or more security attribute data structures located in the memory to obtain a security attribute of the target memory page. The security check unit provides the memory access signals to the memory controller dependent upon the security attribute of the target memory page.

Abstract: In one aspect of the present invention, an apparatus for converting a virtual address to a physical address is provided. The apparatus comprises a comparator, a first mechanism, and a second mechanism. The comparator is adapted to receive the virtual address and deliver a first signal indicating that the virtual address is outside a first preselected range, and a second signal indicating that the virtual address is within the first preselected range. The first mechanism is adapted to generate a first physical address from the virtual address in response to receiving the first signal, and the second mechanism is adapted to generate a second physical address from the virtual address in response to receiving the second signal.

Abstract: A memory management unit (MMU) is disclosed for managing a memory storing data arranged within a multiple memory pages. The memory management unit includes a security check receiving a physical address within a selected memory page, and security attributes of the selected memory page. The security check unit uses the physical address to access one or more security attribute data structures located in the memory to obtain an additional security attribute of the selected memory page. The security check unit generates a fault signal dependent upon the security attributes of selected memory page and the additional security attribute of the selected memory page. The security attributes of the selected memory page may include a user/supervisor (U/S) bit and a read/write (R/W) bit as defined by the ×86 processor architecture. The one or more security attribute data structures may include a security attribute table directory and one or more security attribute tables.

Abstract: A memory management unit (MMU) is disclosed for managing a memory storing data arranged within a plurality of memory pages. The MMU includes a security check unit (SCU) receiving a physical address generated during execution of a current instruction. The physical address resides within a selected memory page. The SCU uses the physical address to access one or more security attribute data structures located in the memory to obtain a security attribute of the selected memory page, compares a numerical value conveyed by a security attribute of the current instruction to a numerical value conveyed by the security attribute of the selected memory page, and produces an output signal dependent upon a result of the comparison. The MMU accesses the selected memory page dependent upon the output signal. The security attribute of the selected memory page may include a security context identification (SCID) value indicating a security context level of the selected memory page.

Abstract: A method and an apparatus for performing a virtual memory access. A software object is executed. A security level for the software object is established. A secondary table is established. A memory access request based upon the executing of the software object is received. At least one security level that corresponds to a segment in the secondary table is determined. A match between an execution security level and a security level associated with a segment being accessed is verified in response to an execution of the software object. A virtual memory address based upon the secondary table in response to a match between the execution security level and the security level associated with the segment being accessed is determined. A physical memory location corresponding to the virtual memory address is located. A portion of a memory based upon locating the physical memory location is accessed.

Abstract: A method and an apparatus for performing an I/O device access using targeted security. A software object is executed. A security level for the software object is established. A multi-table input/output (I/O) space access is performed using at least one of the security levels. The function of the object is executed.

Abstract: A method and system for handling a security exception. The method includes creating a security exception stack frame in secure memory at a base address. The method also includes writing a faulting code sequence address and one or more register values into the security exception stack frame, and executing a plurality of security exception instructions.

Abstract: A method and system for performing the method. a method is provided. The method includes executing an insecure routine and receiving a request from the insecure routine. The method also includes performing a first evaluation of the request in hardware, and performing a second evaluation of the request in a secure routine in software. The computer system includes a processor configurable to execute a secure routine and an insecure routine. The computer system also includes hardware coupled to perform a first evaluation of a request associated with the insecure routine. The hardware is further configured to provide a notification of the request to the secure routine. The secure routine is configured to perform a second evaluation of the request. The secure routine is further configured to deny a requested response to the request.