Abstract: A disclosed example includes generating a binary translation of a native code section in response to a determination that the binary translation of the native code section is not present in a translation cache; storing the binary translation of the native code section in the translation cache; determining that a stop has occurred during the generation of the binary translation; subsequent to the determination that the stop has occurred, generating a binary translation state map of at least a portion of the binary translation; storing, for at least a portion of a duration of the stop, the binary translation state map in memory; and discarding the binary translation state map from the memory upon termination of the stop, the binary translation state map to not exist after the discard of the binary translation state map.

Abstract: The present disclosure is directed to a system for on-demand binary translation state map generation. Instead of interpreting the native code to be executed, binary translation circuitry (BT circuitry) may execute a binary translation (BT) in place of the native code. When a stop occurs (e.g., due to an interrupt, a modification of the native code, etc.), the BT circuitry may generate a binary translation state map (BT state map) that allows the location of the stop to be mapped back to the native code. Generation of the BT state map may involve determining a location and offset for the stop, performing region formation based on the location, loading instructions from the region (e.g., while accounting for the need to emulate instructions), forming the BT state map based at least on the size of the loaded instructions, and then mapping the stop back to the native code utilizing the offset.

Abstract: In one embodiment, an apparatus includes an execution monitor to monitor an application in execution, identify a code region, generate region information for the code region, and analyze the code region to identify potential malicious behavior, and if the potential malicious behavior is identified, to alert a security agent, and otherwise to enable the code region to execute, where the execution monitor is isolated from the application. Other embodiments are described and claimed.

Abstract: In one embodiment, a binary translator to perform binary translation of code is to: perform a first binary analysis of a first code block to determine whether a second control transfer instruction is included in the first code block, where the first code block includes a return target of a first control transfer instruction; perform a second binary analysis of a second code block to determine whether the second code block includes the first control transfer instruction, where the second code block includes a call target of the second control transfer instruction; and store an address pair associated with the first control transfer instruction in a whitelist if the second control transfer instruction is included in the first code block and the first control transfer instruction is included in the second code block. Other embodiments are described and claimed.

Abstract: The present disclosure is directed to a system for binary translation version protection. Activity occurring in a device that may potentially cause native code to be altered may cause the device to prevent binary translations corresponding to the native code from being executed until a determination is made as to whether the binary translation needs to be regenerated. The native code may be stored in a memory page having an access permission that does not permit writes. Attempts to alter the native code would require the access permission of the memory page to be set to writable, which may cause a binary translation (BT) module to be notified of the potential change. The BT module may mark any binary translations corresponding to the native code as stale, and may cause a page permission control module to update memory pages including the binary translations to have an access permission of non-executable.

Abstract: In one embodiment, an apparatus includes an execution monitor to monitor an application in execution, identify a code region, generate region information for the code region, and analyze the code region to identify potential malicious behavior, and if the potential malicious behavior is identified, to alert a security agent, and otherwise to enable the code region to execute, where the execution monitor is isolated from the application. Other embodiments are described and claimed.

Abstract: In one embodiment, a binary translator to perform binary translation of code is to: perform a first binary analysis of a first code block to determine whether a second control transfer instruction is included in the first code block, where the first code block includes a return target of a first control transfer instruction; perform a second binary analysis of a second code block to determine whether the second code block includes the first control transfer instruction, where the second code block includes a call target of the second control transfer instruction; and store an address pair associated with the first control transfer instruction in a whitelist if the second control transfer instruction is included in the first code block and the first control transfer instruction is included in the second code block. Other embodiments are described and claimed.

Abstract: The present disclosure is directed to a system for on-demand binary translation state map generation. Instead of interpreting the native code to be executed, binary translation circuitry (BT circuitry) may execute a binary translation (BT) in place of the native code. When a stop occurs (e.g., due to an interrupt, a modification of the native code, etc.), the BT circuitry may generate a binary translation state map (BT state map) that allows the location of the stop to be mapped back to the native code. Generation of the BT state map may involve determining a location and offset for the stop, performing region formation based on the location, loading instructions from the region (e.g., while accounting for the need to emulate instructions), forming the BT state map based at least on the size of the loaded instructions, and then mapping the stop back to the native code utilizing the offset.

Abstract: Embodiments of an invention for control transfer instructions indicating intent to call or return are disclosed. In one embodiment, a processor includes a return target predictor, instruction hardware, and execution hardware. The instruction hardware is to receive a first instruction, a second instruction, and a third instruction, and the execution hardware to execute the first instruction, the second instruction, and the third instruction. Execution of the first instruction is to store a first return address on a stack and to transfer control to a first target address. Execution of the second instruction is to store a second return address in the return target predictor and transfer control to a second target address. Execution of the third instruction is to transfer control to the second target address.

Abstract: The present disclosure is directed to a system for binary translation version protection. Activity occurring in a device that may potentially cause native code to be altered may cause the device to prevent binary translations corresponding to the native code from being executed until a determination is made as to whether the binary translation needs to be regenerated. The native code may be stored in a memory page having an access permission that does not permit writes. Attempts to alter the native code would require the access permission of the memory page to be set to writable, which may cause a binary translation (BT) module to be notified of the potential change. The BT module may mark any binary translations corresponding to the native code as stale, and may cause a page permission control module to update memory pages including the binary translations to have an access permission of non-executable.

Abstract: Technologies for shadow stack management include a computing device that, when executing a translated call routine in a translated binary, pushes a native return address on to a native stack of the computing device, adds a constant offset to a stack pointer of the computing device, executes a native call instruction to a translated call target, and, after executing the native call instruction, subtracts the constant offset from the stack pointer. Executing the native call instruction pushes a translated return address onto a shadow stack of the computing device. The computing device may map two or more virtual memory pages of the shadow stack onto a single physical memory page. The computing device may execute a translated return routine that pops the native return address from the native stack, adds the constant offset to the stack pointer, and executes a native return instruction. Other embodiments are described and claimed.