Abstract: The present disclosure relates to systems and methods implemented on a memory controller for detecting and mitigating memory attacks (e.g., row hammer attacks). For example, a memory controller may engage a counting mode in which activation counts for memory sub-banks are tracked. For example, a memory controller may engage a counting mode in which activation counts for memory rows of memory sub-banks are maintained. Under certain conditions, the memory controller may transition from the counting mode to a sampling mode to mitigate potential row hammer attacks. The memory controller may consider various conditions in determining whether to continue detecting and mitigating potential row hammer attacks in the sampling mode and/or transitioning back to the counting mode. By selectively transitioning between the different operating modes, the memory controller may reduce periods of time when the memory hardware is vulnerable to attacks.

Abstract: Cryptographically-secured deferral tickets provided by a minting process that runs in a secure enclave on a computing device reset an authenticated watchdog timer that reboots the device from a hardware-protected recovery operating system to re-image the device into a known good state if the timer expires. The deferral tickets are written to a secure channel using a symmetric key that is provisioned by repurposing an existing Intel SGX (Software Guard Extension) Versioning Support protocol that enables migration of secrets between enclaves that have the same author. In an illustrative embodiment, the deferral ticket minting process and authenticated watchdog timer execute locally to enable automated recovery of the computing device when utilized in far edge infrastructure of a fifth generation (5G) network such as a distributed unit (DU) of a radio access network (RAN).

Abstract: The minimization of the amount of power consumed by an electronic device in acquiring or maintaining network connectivity with a network may extend the battery life of the electronic device. When the electronic device has established a communication connection with a wireless access point, the electronic device cycles a network interface controller of the electronic device between a power on state and a power off state without terminating the communication connection. Accordingly, the electronic device powers on a main processor of the electronic device when the network interface controller detects a beacon during the power on state that indicates the wireless access point has a buffered data frame for the electronic device.

Abstract: The present disclosure relates to systems and methods implemented on a memory controller for detecting and mitigating memory attacks (e.g., row hammer attacks). For example, a memory controller may track activations of row addresses within a memory hardware (e.g., a DRAM device) and determine whether a pattern of activations is indicative of a row hammer attack. This is determined using a counting mode for corresponding memory sub-banks. Where a likely row hammer attack is detected, the memory controller may activate a sampling mode (rather than the counting mode) for a particular sub-bank to identify which of the row addresses should be refreshed on the memory hardware. The implementations described herein provide a low computational cost alternative to heavy-handed detection mechanisms that require access to significant computing resources to accurately detect and mitigate row hammer attacks.

Abstract: Slice control elements in a 5G slicing framework are instantiated in trusted hardware to provide for sealed data transmission in a trusted slice. In addition to sealing the data plane in the trusted slice, the control plane for the slice may be secured by the instantiation into the trusted hardware of layer 2 (medium access control—MAC) scheduling functions for radio resources (e.g., subcarriers and time slots). Layer 1 (physical—PHY) may also be configured to further enhance security of the trusted slice by isolating its PHY layer from that of other trusted and non-trusted slices. Such isolation may be implemented, for example, by using dedicated PHY resources, or by limiting resource time sharing to provide temporal isolation.

Abstract: A health ticket minting process operates in a secure enclave on a computing device to ensure liveness of the enclave should a maliciously-compromised operating system deny service to starve the enclave. Cryptographically-secured health tickets provided by the minting process reset an authenticated watchdog timer (AWDT) that reboots the device from a hardware-protected recovery operating system if the timer expires. The health tickets are written to a secure channel using a symmetric key that is provisioned by repurposing an existing Intel SGX (Software Guard Extension) Versioning Support protocol that enables migration of secrets between enclaves that have the same author. In the event that the enclave fails to make forward progress and health tickets are not minted, then the AWDT expires and forces the reboot and re-imaging to a known good state to evict the malware from the computing device.

Abstract: Cryptographically-secured deferral tickets provided by a minting process that runs in a secure enclave on a computing device reset an authenticated watchdog timer that reboots the device from a hardware-protected recovery operating system to re-image the device into a known good state if the timer expires. The deferral tickets are written to a secure channel using a symmetric key that is provisioned by repurposing an existing Intel SGX (Software Guard Extension) Versioning Support protocol that enables migration of secrets between enclaves that have the same author. In an illustrative embodiment, the deferral ticket minting process and authenticated watchdog timer execute locally to enable automated recovery of the computing device when utilized in far edge infrastructure of a fifth generation (5G) network such as a distributed unit (DU) of a radio access network (RAN).

Abstract: Aspects of the present disclosure relate to techniques for minimizing the effects of RowHammer and induced charge leakage. In examples, systems and methods for preventing access pattern attacks in random-access memory (RAM) are provided. In aspects, a data request associated with a page table may be determined to be a potential security risk and such potential security risk may be mitigated by randomly selecting a memory region from a subset of memory regions, copying data stored in a memory region associated with a page table entry in the page table to the second memory region, disassociating the second memory region from the subset of memory regions and associating the memory region associated with the page table to the second memory region, and updating the page table entry in the page table to refer to the second memory region.

Abstract: A memory device comprises a memory array, a counter unit, and a service unit. The memory array comprises cells arranged in rows and columns, wherein a subset of the cells in each of the rows holds a row activation count for each row. The counter unit, in response to an activation of the row caused by a read operation on at least a portion of the row, increments the row activation count for at least one of the rows prior to a completion of the read operation, and writes-back the row activation count in an incremented state to the subset of the cells in the row that held the row activation count prior to the activation. The service unit is coupled to the counter unit and performs a service with respect to one or more other rows, offset from the row, in response to the row activation count associated with the row satisfying service criteria.

Abstract: Resistance to vulnerabilities from timing-based side-channel attacks on 5G network slices that share underlying physical infrastructure and resources may be enhanced by selectively imposing time-based constraints on service provisioning and data handling to obscure data-driven time variations that occur during workload execution in a slice that can leak secret information. By preventing timing leakage from the 5G network slices, an attacker cannot observe execution latencies to thereby infer the constituency of workload characteristics. In addition, the attacker cannot create contention for shared resources on its own slice to observe an extent to which the shared resources are utilized by a targeted slice.

Abstract: Aspects of the present disclosure relate to techniques for minimizing the effects of RowHammer and induced charge leakage. In examples, systems and methods for preventing access pattern attacks in random-access memory (RAM) are provided. In aspects, a data request associated with a page table may be determined to be a potential security risk and such potential security risk may be mitigated by randomly selecting a memory region from a subset of memory regions, copying data stored in a memory region associated with a page table entry in the page table to the second memory region, disassociating the second memory region from the subset of memory regions and associating the memory region associated with the page table to the second memory region, and updating the page table entry in the page table to refer to the second memory region.

Abstract: Slices of a 5G network may be configured to implement a trust model by which network customers are provided with assurances that slice properties meet agreed-upon criteria specified by customer policy so that slices can be trusted. Illustrative slice properties may pertain to service types, geographic area of operations, and attributes associated with software, firmware, and hardware used in the infrastructure of nodes in a trusted slice. Particular values of the properties describe a slice configuration that may be measured, digested, and attested to the customer to provide assurances that the configuration conforms with the policy. The 5G slice trust model may be implemented as a two-way model in which a slice provider performs checks to verify slice properties while customers ensure that only authenticated and authorized user equipment (UE) will access a trusted slice.

Abstract: Slice control elements in a 5G slicing framework are instantiated in trusted hardware to provide for sealed data transmission in a trusted slice. In addition to sealing the data plane in the trusted slice, the control plane for the slice may be secured by the instantiation into the trusted hardware of layer 2 (medium access control—MAC) scheduling functions for radio resources (e.g., subcarriers and time slots). Layer 1 (physical—PHY) may also be configured to further enhance security of the trusted slice by isolating its PHY layer from that of other trusted and non-trusted slices. Such isolation may be implemented, for example, by using dedicated PHY resources, or by limiting resource time sharing to provide temporal isolation.

Abstract: A memory device comprises a memory array, a counter unit, and a service unit. The memory array comprises cells arranged in rows and columns, wherein a subset of the cells in each of the rows holds a row activation count for each row. The counter unit, in response to an activation of the row caused by a read operation on at least a portion of the row, increments the row activation count for at least one of the rows prior to a completion of the read operation, and writes-back the row activation count in an incremented state to the subset of the cells in the row that held the row activation count prior to the activation. The service unit is coupled to the counter unit and performs a service with respect to one or more other rows, offset from the row, in response to the row activation count associated with the row satisfying service criteria.

Abstract: A memory device comprises a memory array, a counter unit, and a service unit. The memory array comprises cells arranged in rows and columns, wherein a subset of the cells in each of the rows holds a row activation count for each row. The counter unit, in response to an activation of the row caused by a read operation on at least a portion of the row, increments the row activation count for at least one of the rows prior to a completion of the read operation, and writes-back the row activation count in an incremented state to the subset of the cells in the row that held the row activation count prior to the activation. The service unit is coupled to the counter unit and performs a service with respect to one or more other rows, offset from the row, in response to the row activation count associated with the row satisfying service criteria.

Abstract: Aspects of the present disclosure relate to techniques for minimizing the effects of RowHammer and induced charge leakage. In examples, systems and methods for preventing access pattern attacks in random-access memory (RAM) are provided. In aspects, a data request associated with a page table may be determined to be a potential security risk and such potential security risk may be mitigated by randomly selecting a memory region from a subset of memory regions, copying data stored in a memory region associated with a page table entry in the page table to the second memory region, disassociating the second memory region from the subset of memory regions and associating the memory region associated with the page table to the second memory region, and updating the page table entry in the page table to refer to the second memory region.

Abstract: A compromise detection system protects data centers (DCs) or other providers in the cloud. The compromise detection system can detect compromised virtual machines (VMs) through changes in network traffic characteristics while avoiding expensive data collection and preserving privacy. The compromise detection system obtains and uses periodically-obtained flow pattern summaries to detect compromised VMs. Agent-based detection on predetermined and compromised VMs can expose (using supervised learning) the network behavior of compromised VMs and then apply the learned model to all VMs in the DC. The compromise detection system can run continuously, protect the privacy of cloud customers, comply with Europe's General Data Protection Regulation (GDPR), and avoid various techniques that both erode privacy and degrade VM performance.

Abstract: The minimization of the amount of power consumed by an electronic device in acquiring or maintaining network connectivity with a network may extend the battery life of the electronic device. When the electronic device has established a communication connection with a wireless access point, the electronic device cycles a network interface controller of the electronic device between a power on state and a power off state without terminating the communication connection. Accordingly, the electronic device powers on a main processor of the electronic device when the network interface controller detects a beacon during the power on state that indicates the wireless access point has a buffered data frame for the electronic device.

Abstract: Methods and devices for encoding and decoding data streams are disclosed. In some aspects, the data streams are multimedia data streams. One method disclosed includes obtaining, by a client device, a first multimedia data stream and a second multimedia data stream, the second multimedia data stream being a lower fidelity version of the first multimedia data stream, generating, by the client device, a third multimedia data stream based on differences between the first and second multimedia data streams, compressing, by the client device, the second multimedia data stream to generate a first compressed multimedia data stream, compressing, by the client device, the third multimedia data stream to generate a second compressed multimedia data stream; and transmitting, by the client device, the first and second compressed multimedia data steams to the server.

Abstract: Aspects of the present disclosure relate to techniques for identifying susceptibility to induced charge leakage. In examples, a susceptibility test sequence comprising a cache line flush instruction is used to repeatedly activate a row of a memory unit. The susceptibility test sequence causes induced charge leakage within rows that are physically adjacent to the activated row, such that a physical adjacency map can be generated. In other examples, a physical adjacency map is used to identify a set of adjacent rows to a target row. A susceptibility test sequence is used to repeatedly activate the set of adjacent rows, after which the content of the target row is analyzed to determine whether the any bits of the target row flipped as a result of induced charge leakage. If flipped bits are not identified, an indication is generated that the memory unit is not susceptible to induced charge leakage.