Abstract: In one embodiment, an encoded pointer is constructed from a stack pointer that includes offset. The encoded pointer includes the offset value and ciphertext that is based on encrypting a portion of a decorated pointer that includes a maximum offset value. Stack data is encrypted based on the encoded pointer, and the encoded pointer is stored in a stack pointer register of a processor. To access memory, a decoded pointer is constructed based on decrypting the ciphertext of the encoded pointer and the offset value. Encrypted stack data is accessed based on the decoded pointer, and the encrypted stack is decrypted based on the encoded pointer.

Abstract: A system for detecting malware includes a processor to collect processor trace information corresponding to an application being executed by the processor (202). The processor can also detect an invalid indirect branch instruction from the processor trace information (204) and detect at least one malware instruction being executed by the application in response to analyzing modified memory values corresponding to the invalid indirect branch (206). Additionally, the processor can block the application from accessing or modifying memory (208).

Abstract: A processor includes a register to store an encoded pointer to a memory location in memory and the encoded pointer is to include an encrypted portion. The processor further includes circuitry to determine a first data encryption factor based on a first data access instruction, decode the encoded pointer to obtain a memory address of the memory location, use the memory address to access an encrypted first data element, and decrypt the encrypted first data element using a cryptographic algorithm with first inputs to generate a decrypted first data element. The first inputs include the first data encryption factor based on the first data access instruction and a second data encryption factor from the encoded pointer.

Abstract: A processor includes a register to store an encoded pointer to a variable in stack memory. The encoded pointer includes an encrypted portion and a fixed plaintext portion of a memory address corresponding to the variable. The processor further includes circuitry to, in response to a memory access request for associated with the variable, decrypt the encrypted portion of the encoded pointer to obtain first upper address bits of the memory address and a memory allocation size for a variable, decode the encoded pointer to obtain the memory address, verify the memory address is valid based, at least in part on the memory allocation size, and in response to determining that the memory address is valid, allow the memory access request.

Abstract: A processor, a system, a machine readable medium, and a method.

Abstract: Technologies provide domain isolation using encoded pointers to data and code. A system may be configured for decoding an encoded pointer to obtain a linear address of an encrypted code block of a first software component in memory. The first software component shares a linear address space of the memory with a plurality of software components. A processor uses the linear address to access the encrypted code block, determines a relative position of the encrypted code block within a memory slot of the linear address space, and decrypts the encrypted code block to generate a decrypted code block using a code key and a code tweak. The code tweak includes a relative position of the encrypted code block in the address space and domain metadata that uniquely identifies the software component. In some scenarios, the software component may be position independent code and may be relocatable to different address spaces.

Abstract: Techniques for cryptographic computing isolation are described. A processor includes circuitry to be coupled to memory configured to store one or more instructions. The circuitry is to execute the one or more instructions to instantiate a first process based on an application. To instantiate the first process is to include creating a context table to be used by the first process, identifying a software component to be invoked during the first process, encrypting the software component using a first cryptographic key, and creating a first entry in the context table. The first entry is to include first context information identifying the encrypted software component and second context information representing the first cryptographic key. In more specific embodiments, third context information representing a first load address of the encrypted software component is stored in the first entry of the context table.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for anomalous memory access pattern detection for translational lookaside buffers. An example apparatus includes a communication interface to retrieve a first eviction data set from a translational lookaside buffer associated with a central processing unit; a machine learning engine to: generate an anomaly detection model based upon at least one of a second eviction data set not including an anomaly and a third eviction data set including the anomaly; and determine whether the anomaly is present in the first eviction data set based on the anomaly detection model; and an alert generator to at least one of modify a bit value or terminate memory access operations when the anomaly is determined to be present.

Abstract: Methods, systems, articles of manufacture and apparatus to detect process hijacking are disclosed herein. An example apparatus to detect control flow anomalies includes a parsing engine to compare a target instruction pointer (TIP) address to a dynamic link library (DLL) module list, and in response to detecting a match of the TIP address to a DLL in the DLL module list, set a first portion of a normalized TIP address to a value equal to an identifier of the DLL. The example apparatus disclosed herein also includes a DLL entry point analyzer to set a second portion of the normalized TIP address based on a comparison between the TIP address and an entry point of the DLL, and a model compliance engine to generate a flow validity decision based on a comparison between (a) the first and second portion of the normalized TIP address and (b) a control flow integrity model.

Abstract: A method comprises detecting execution of a fork( ) operation in a cryptographic computing system that generates a parent process and a child process, assigning a parent kernel data structure to the parent process and a child kernel data structure to the child process, detecting, in the child process, a write operation comprising write data and a cryptographic target address, and in response to the write operation blocking access to a corresponding page in the parent process, allocating a new physical page in memory for the child process, encrypting the write data with a cryptographic key unique to the child process, and filling the new physical page in memory with magic marker data.

Abstract: In one embodiment, a processor includes a memory hierarchy that stores encrypted data, tracking circuitry that tracks an execution context for instructions executed by the processor, and cryptographic computing circuitry to encrypt/decrypt data that is stored in the memory hierarchy. The cryptographic computing circuitry obtains context information from the tracking circuitry for a load instruction to be executed by the processor, where the context information indicates information about branch predictions made by a branch prediction unit of the processor, and decrypts the encrypted data using a key and the context information as a tweak input to the decryption.

Abstract: The present disclosure is directed to systems and methods of detecting a side-channel attack using hardware counter anomaly detection circuitry to select a subset of HPCs demonstrating anomalous behavior in response to a side-channel attack. The hardware counter anomaly detection circuitry includes data collection circuitry to collect data from a plurality of HPCs, time/frequency domain transform circuitry to transform the collected data to the frequency domain, one-class support vector anomaly detection circuitry to detect anomalous or aberrant behavior by the HPCs. The hardware counter anomaly detection circuitry selects the HPCs having reliable and consistent anomalous activity or behavior in response to a side-channel attack and groups those HPCs into a side-channel attack detection HPC sub-set that may be communicated to one or more external devices.

Abstract: The present invention discloses a secure ML pipeline to improve the robustness of ML models against poisoning attacks and utilizing data provenance as a tool. Two components are added to the ML pipeline, a data quality pre-processor, which filters out untrusted training data based on provenance derived features and an audit post-processor, which localizes the malicious source based on training dataset analysis using data provenance.

Abstract: Methods, apparatus, systems and articles of manufacture for detecting a side channel attack using hardware performance counters are disclosed. An example apparatus includes a hardware performance counter data organizer to collect a first value of a hardware performance counter at a first time and a second value of the hardware performance counter at a second time. A machine learning model processor is to apply a machine learning model to predict a third value corresponding to the second time. An error vector generator is to generate an error vector representing a difference between the second value and the third value. An error vector analyzer is to determine a probability of the error vector indicating an anomaly. An anomaly detection orchestrator is to, in response to the probability satisfying a threshold, cause the performance of a responsive action to mitigate the side channel anomaly.

Abstract: In one embodiment, an encoded pointer is constructed from a stack pointer that includes offset. The encoded pointer includes the offset value and ciphertext that is based on encrypting a portion of a decorated pointer that includes a maximum offset value. Stack data is encrypted based on the encoded pointer, and the encoded pointer is stored in a stack pointer register of a processor. To access memory, a decoded pointer is constructed based on decrypting the ciphertext of the encoded pointer and the offset value. Encrypted stack data is accessed based on the decoded pointer, and the encrypted stack is decrypted based on the encoded pointer.

Abstract: Embodiments described herein provide for a computing device comprising a hardware processor including a processor trace module to generate trace data indicative of an order of instructions executed by the processor, wherein the processor trace module is configurable to selectively output a processor trace packet associated with execution of a selected non-deterministic control flow transfer instruction.

Abstract: A processor includes a register to store an encoded pointer to a variable in stack memory. The encoded pointer includes an encrypted portion and a fixed plaintext portion of a memory address corresponding to the variable. The processor further includes circuitry to, in response to a memory access request for associated with the variable, decrypt the encrypted portion of the encoded pointer to obtain first upper address bits of the memory address and a memory allocation size for a variable, decode the encoded pointer to obtain the memory address, verify the memory address is valid based, at least in part on the memory allocation size, and in response to determining that the memory address is valid, allow the memory access request.

Abstract: A processor includes a register to store an encoded pointer to a memory location in memory and the encoded pointer is to include an encrypted portion. The processor further includes circuitry to determine a first data encryption factor based on a first data access instruction, decode the encoded pointer to obtain a memory address of the memory location, use the memory address to access an encrypted first data element, and decrypt the encrypted first data element using a cryptographic algorithm with first inputs to generate a decrypted first data element. The first inputs include the first data encryption factor based on the first data access instruction and a second data encryption factor from the encoded pointer.

Abstract: Described herein are techniques for dealing with the problem of security vulnerabilities in computer software due to undefined behavior that may be exploited by attackers. A machine learning (ML) model is used for detecting an exploit execution within a given trace of application execution. In a specific embodiment, the ML model identifies whether there is any gadget or gadget-chain execution at branch points of a subject program.

Abstract: Technologies disclosed herein provide for converting a first data of a first control flow packet to a first pixel, where the first data indicates one or more branches taken during a known execution of an application, generating an array of pixels using the first pixel and one or more other pixels associated with one or more other control flow packets generated from the known execution, transforming the array of pixels into a series of images, and using a machine learning algorithm with inputs to train a behavior model to identify a malicious behavior in an unknown execution of the application. The inputs include one or more images of the series of images and respective image labels assigned to the one or more images. More specific embodiments include extracting the first control flow packet from an execution trace representing at least part of the known execution.