Abstract: Systems and methods are described herein that discuss how a computing platform executing a virtualized environment, in one example, can be integrity verified adaptively and on demand. This may occur at initial runtime, as well as during continued operations, and allows the platform user to install software from various vendors without sacrificing the integrity measurement and therefore the trustworthiness of the platform.

Abstract: Embodiments of an invention for generating multiple address space identifiers per virtual machine to switch between protected micro-contexts are disclosed. In one embodiment, a method includes receiving an instruction requiring an address translation; initiating, in response to receiving the instruction, a page walk from a page table pointed to by the contents of a page table pointer storage location; finding, during the page walk, a transition entry; storing the address translation and one of a plurality of address source identifiers in a translation lookaside buffer, the one of the plurality of address source identifiers based on one of a plurality of a virtual partition identifiers, at least two of the plurality of virtual partition identifiers associated with one of a plurality of virtual machines; and re-initiating the page walk.

Abstract: In accordance with disclosed embodiments, there are provided methods, systems, and apparatuses for implementing hardware of a virtualized processor based system detecting a specified type of memory access to an identified region of memory and in response to the detecting generating an interrupt for a virtual machine monitor (VMM) of the virtualized processor based system.

Abstract: Systems and methods are described herein that discuss how a computing platform executing a virtualized environment, in one example, can be integrity verified adaptively and on demand. This may occur at initial runtime, as well as during continued operations, and allows the platform user to install software from various vendors without sacrificing the integrity measurement and therefore the trustworthiness of the platform.

Abstract: Embodiments of an invention for generating multiple address space identifiers per virtual machine to switch between protected micro-contexts are disclosed. In one embodiment, an apparatus includes privileged mode logic, an interface, and memory management logic. The privileged mode logic is to transfer control of the processor among a plurality of virtual machines. The interface is to perform a transaction to fetch information from a memory. The memory management logic is to translate an untranslated address to a memory address. The memory management logic includes a storage location, a series of translation stages, determination logic, and a translation lookaside buffer. The storage location is to store an address of a data structure for the first translation stage. Each of the translation stages includes translation logic to find an entry in a data structure based on a portion of the untranslated address.

Abstract: According to embodiments of the present invention, host platform device includes an embedded firmware agent that may detect an attempt by the host platform device to fully connect to a network. The firmware agent may restrict traffic between the host platform device and the network to bootstrap traffic, test the device to determine device vulnerability, may temporarily stop access to other peripheral devices, and transmit a report of the device vulnerability to a remote policy server. After the test(s) are performed, the firmware agent may receive an indication from the remote policy server as to whether the device is permitted to fully connect to the network and, if so, whether there are any further restrictions on traffic flow, for example, and if the peripheral device access may be allowed.

Abstract: An apparatus and system provide a tamper-resistant scheme for portability of DRM-protected digital content. According to embodiments of the invention, a portable crypto unit may be utilized in conjunction with a VT integrity services (VIS) scheme as well as a Virtual Machine Manager (VMM) and a TPM to provide a secure scheme to protect digital content. Additionally, in one embodiment, the digital content may be partitioned into blocks comprising multiple segments to further enhance the security of the scheme.

Abstract: Disclosed is a method for restricting access of a first code of a plurality of codes and data of a first function from a second function. Thee method comprises calling the second function by the first function, addresses of the plurality of data may be stored in a stack page and colored in a first color (102). The method comprises performing access control check in a transition page for verifying whether the first function has permission to call the second function (104). Further the method comprises protecting the first code from the second function by coloring the data and/or addresses in a second color (106). Furthermore, the method comprises executing the second function by pushing addresses of the second function on the stack page, the addresses of the second function colored in a third color (108) and unprotecting the first code by coloring the addresses of the first code in the first color (110).

Abstract: A method for efficiently handling interrupts in a virtual technology environment with integrity services is provided. The method comprises assigning an interrupt to a virtual machine that is running a software agent; suspending the software agent; invoking a protected interrupt handler; copying the interrupt's memory content to a protected location, in response to successfully verifying the integrity of the content; replacing the interrupt's return address with a return address for a protected function; switching from the software agent's protected context to its active context; executing the original interrupt handler; returning control to the protected function to ensure that execution of the software agent resumes safely; switching back to the software agent's protected context, in response to successfully verifying the integrity of the content; and passing control back to the software agent to resume execution.

Abstract: Systems and methods are described herein that discuss how a computing platform executing a virtualized environment, in one example, can be integrity verified adaptively and on demand. This may occur at initial runtime, as well as during continued operations, and allows the platform user to install software from various vendors without sacrificing the integrity measurement and therefore the trustworthiness of the platform.

Abstract: A method for managing an agent includes verifying an integrity of the agent in response to a registration request. Memory protection is provided for the agent during integrity verification. An indication is generated when registration of the agent has been completed. According to one aspect of the present invention, providing memory protection includes having a virtual machine monitor limit access to the agent. Other embodiments are described and claimed.

Abstract: In accordance with disclosed embodiments, there are provided methods, systems, and apparatuses for implementing hardware of a virtualized processor based system detecting a specified type of memory access to an identified region of memory and in response to the detecting generating an interrupt for a virtual machine monitor (VMM) of the virtualized processor based system.

Abstract: End-to-end security between clients and a server, and traffic visibility to intermediate network devices, achieved through combined mode, single pass encryption and authentication using two keys is disclosed. In various embodiments, a combined encryption-authentication unit includes a cipher unit and an authentication unit coupled in parallel to the cipher unit, and generates an authentication tag using an authentication key in parallel with the generation of the cipher text using an encryption key, where the authentication and encryption key have different key values.

Abstract: A method for managing an agent includes verifying an integrity of the agent in response to a registration request. Memory protection is provided for the agent dining integrity verification. An indication is generated when registration of the agent has been completed. According to one aspect of the present invention, providing memory protection includes having a virtual machine monitor limit access to the agent. Other embodiments are described and claimed.

Abstract: Systems and methods are described herein that discuss how a computing platform executing a virtualized environment, in one example, can be integrity verified adaptively and on demand. This may occur at initial runtime, as well as during continued operations, and allows the platform user to install software from various vendors without sacrificing the integrity measurement and therefore the trustworthiness of the platform.

Abstract: Hardware of a virtualized processor based system detecting a specified type of memory access to an identified region of memory and in response to the detecting generating an interrupt for a virtual machine monitor (VMM) of the virtualized processor based system.

Abstract: In one embodiment, the present invention includes a virtual machine monitor (VMM) to access a protection indicator of a page table entry (PTE) of a page of a set of memory buffers and determine a state of the protection indicator, and if the protection indicator indicates that the page is a user-level page and if certain information of an agent that seeks to use the page matches that in a protected memory address array, a page table base register (PTBR) is updated to a protected page table (PPT) base address. Other embodiments are described and claimed.

Abstract: Methods, apparatuses, articles, and systems for comparing a first security domain of a first memory page of a physical device to a second security domain of a second memory page of the physical device, the security domains being stored in one or more registers of a processor of the physical device, are described herein. Based on the comparison, the processor disallows an instruction from the first memory page to access the second memory page if the first security domain is different from the second security domain. Resultantly, software agents, in particular, critical software agents, may be protected in a virtual technology (VT) environment more efficiently and effectively.

Abstract: Methods, apparatuses, articles, and systems for observing, by a virtual machine manager of a physical device, execution of a target process of a virtual machine of the physical device, including virtual addresses of the virtual machine referenced during the execution, are described herein. The virtual machine manager further determines whether the target process is executing in an expected manner based at least in part on the observed virtual address references and expected virtual address references.

Abstract: A processing unit analyzes network traffic using a multi-timescale heuristic having multiple traffic windows. Each traffic window has a respective threshold value and a respective timescale. When a threshold value is exceeded, the processing unit triggers a network circuit breaker, causing a host platform to be isolated from the network.