Abstract: The present disclosure is directed to systems and methods that include cache operation storage circuitry that selectively enables/disables the Cache Line Flush (CLFLUSH) operation. The cache operation storage circuitry may also selectively replace the CLFLUSH operation with one or more replacement operations that provide similar functionality but beneficially and advantageously prevent an attacker from placing processor cache circuitry in a known state during a timing-based, side channel attack such as Spectre or Meltdown. The cache operation storage circuitry includes model specific registers (MSRs) that contain information used to determine whether to enable/disable CLFLUSH functionality. The cache operation storage circuitry may include model specific registers (MSRs) that contain information used to select appropriate replacement operations such as Cache Line Demote (CLDEMOTE) and/or Cache Line Write Back (CLWB) to selectively replace CLFLUSH operations.

Abstract: A combination of hardware monitoring and binary translation software allow detection of return-oriented programming (ROP) exploits with low overhead and low false positive rates. Embodiments may use various forms of hardware to detect ROP exploits and indicate the presence of an anomaly to a device driver, which may collect data and pass the indication of the anomaly to the binary translation software to instrument the application code and determine whether an ROP exploit has been detected. Upon detection of the ROP exploit, the binary translation software may indicate the ROP exploit to an anti-malware software, which may take further remedial action as desired.

Abstract: In some embodiments, the disclosed subject matter involves communication and negotiation between an autonomous entity or vehicle with a network of communication resources within a smart premises. The communication resources may include entry, landing or navigation beacons and a building infrastructure service. Negotiation for guidance, entry and other authorized tasks or services may be performed in a distributed fashion while en route or in proximity to a communication resource, rather than scheduled by a centralized server. Other embodiments are described and claimed.

Abstract: A processor of an aspect includes a decode unit to decode an instruction. The instruction is to indicate a destination memory address information. An execution unit is coupled with the decode unit. The execution unit, in response to the decode of the instruction, is to store memory addresses, for at least all initial writes to corresponding data items, which are to occur after the instruction in original program order, to a memory address log. A start of the memory address log is to correspond to the destination memory address information. Other processors, methods, systems, and instructions are also disclosed.

Abstract: Embodiments are directed toward techniques to detect a first function associated with an address space initiating a call instruction to a second function in the address space, the first function to call the second function in a deprivileged mode of operation, and define accessible address ranges for segments of the address space for the second function, each segment to a have a different address range in the address space where the second function is permitted to access in the deprivileged mode of operation, Embodiments include switching to the stack associated with the second address space and the second function, and initiating execution of the second function in the deprivileged mode of operation.

Abstract: Techniques and apparatuses to harden AI systems against various attacks are provided. Among the different techniques and apparatuses, is provided, techniques and apparatuses that expand the domain for an inference model to include both visible classes and well as hidden classes. The hidden classes can be used to detect possible probing attacks against the model.

Abstract: The disclosed embodiments generally relate to detecting malware through detection of micro-architectural changes (morphing events) when executing a code at a hardware level (e.g., CPU). An exemplary embodiment relates to a computer system having: a memory circuitry comprising an executable code; a central processing unit (CPU) in communication with the memory circuitry and configured to execute the code; a performance monitoring unit (PMU) associated with the CPU, the PMU configured to detect and count one or more morphing events associated with execution of the code and to determine if the counted number of morphine events exceed a threshold value; and a co-processor configured to initiate a memory scan of the memory circuitry to identify a malware in the code.

Abstract: Detailed are embodiments related to bit matrix multiplication in a processor. For example, in some embodiments a processor comprising: decode circuitry to decode an instruction have fields for an opcode, an identifier of a first source bit matrix, an identifier of a second source bit matrix, an identifier of a destination bit matrix, and an immediate; and execution circuitry to execute the decoded instruction to perform a multiplication of a matrix of S-bit elements of the identified first source bit matrix with S-bit elements of the identified second source bit matrix, wherein the multiplication and accumulation operations are selected by the operation selector and store a result of the matrix multiplication into the identified destination bit matrix, wherein S indicates a plural bit size is described.

Abstract: Embodiments of systems, apparatuses and methods provide enhanced function as a service (FaaS) to users, e.g., computer developers and cloud service providers (CSPs). A computing system configured to provide such enhanced FaaS service include one or more controls architectural subsystems, software and orchestration subsystems, network and storage subsystems, and security subsystems. The computing system executes functions in response to events triggered by the users in an execution environment provided by the architectural subsystems, which represent an abstraction of execution management and shield the users from the burden of managing the execution. The software and orchestration subsystems allocate computing resources for the function execution by intelligently spinning up and down containers for function code with decreased instantiation latency and increased execution scalability while maintaining secured execution.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive a request for data, wherein the request is received on a system that regularly stores data in a cache and provide the requested data without causing the data or an address of the data to be cached or for changes to the cache to occur. In an example, the requested data is already in a level 1 cache, level 2 cache, or last level cache and the cache does not change its state. Also, a snoop request can be broadcasted to acquire the requested data and the snoop request is a read request and not a request for ownership of the data. In addition, changes to a translation lookaside buffer when the data was obtained using a linear to physical address translation is prevented.

Abstract: A computing apparatus, including: a hardware computing platform; and logic to operate on the hardware computing platform, configured to: receive a microservice instance registration for a microservice accelerator, wherein the registration includes a microservice that the microservice accelerator is configured to provide, and a microservice connection capability indicating an ability of the microservice instance to communicate directly with other instances of the same or a different microservice; and log the registration in a microservice registration database.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: Examples may include techniques to route packets to virtual network functions. A network function virtualization load balancer is provided which routes packets to both maximize a specified distribution and minimize switching of contexts between virtual network functions. Virtual network functions are arranged to be able to shift a context from one virtual network function to another. As such, the system can be managed, for example, scaled up or down, regardless of the statefullness of the virtual network functions and their local contexts or flows.

Abstract: Detailed are embodiments related to bit matrix multiplication in a processor. For example, in some embodiments a processor comprising: decode circuitry to decode an instruction have fields for an opcode, an identifier of a first source bit matrix, an identifier of a second source bit matrix, an identifier of a destination bit matrix, and an immediate; and execution circuitry to execute the decoded instruction to perform a multiplication of a matrix of S-bit elements of the identified first source bit matrix with S-bit elements of the identified second source bit matrix, wherein the multiplication and accumulation operations are selected by the operation selector and store a result of the matrix multiplication into the identified destination bit matrix, wherein S indicates a plural bit size is described.

Abstract: The present disclosure is directed to systems and methods for mitigating or eliminating the effectiveness of a side channel attack, such as a Meltdown or Spectre type attack by selectively introducing a variable, but controlled, quantity of uncertainty into the externally accessible system parameters visible and useful to the attacker. The systems and methods described herein provide perturbation circuitry that includes perturbation selector circuitry and perturbation block circuitry. The perturbation selector circuitry detects a potential attack by monitoring the performance/timing data generated by the processor. Upon detecting an attack, the perturbation selector circuitry determines a variable quantity of uncertainty to introduce to the externally accessible system data. The perturbation block circuitry adds the determined uncertainty into the externally accessible system data. The added uncertainty may be based on the frequency or interval of the event occurrences indicative of an attack.

Abstract: A method for authenticating a secure credential transfer to a device includes verifying user identity and device identity. In particular, the method includes verifying user identity by requesting and receiving a user identification input at a first client device and verifying device identity of a second client device by (i) determining a security status of the second client device from hardware of the second client device, (ii) invoking an identifier related to the security status of the second client device to an authentication server, and (iii) obtaining certification from the authentication server for the second client device based on the invoked identifier. After verifying the user identity and the device identity, the method includes establishing a secure channel between the first client device and the second client device for the secure credential transfer using one or more tokens generated by the authentication server.

Abstract: Examples are described that relate to waking up or invoking a function such as a processor-executed application or a hardware device. The application or a hardware device can specify which sources can cause wake-ups and which sources are not to cause wake-ups. A device or processor-executed software can monitor reads from or writes to a region of memory and cause the application or a hardware device to wake-up unless the wake-up is specified as inhibited. The updated region of memory can be precisely specified to allow a pinpoint retrieval of updated content instead of scanning a memory range for changes. In some cases, a write to a region of memory can include various parameters that are to be used by the woken-up application or a hardware device. Parameters can include a source of a wake-up, a timer to cap execution time, or any other information.

Abstract: A computing apparatus, including: a hardware computing platform; and logic to operate on the hardware computing platform, configured to: receive a microservice instance registration for a microservice accelerator, wherein the registration includes a microservice that the microservice accelerator is configured to provide, and a microservice connection capability indicating an ability of the microservice instance to communicate directly with other instances of the same or a different microservice; and log the registration in a microservice registration database.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: The present disclosure is directed to systems and methods for mitigating or eliminating the effectiveness of a side channel attack, such as a Spectre type attack, by limiting the ability of a user-level branch prediction inquiry to access system-level branch prediction data. The branch prediction data stored in the BTB may be apportioned into a plurality of BTB data portions. BTB control circuitry identifies the initiator of a received branch prediction inquiry. Based on the identity of the branch prediction inquiry initiator, the BTB control circuitry causes BTB look-up circuitry to selectively search one or more of the plurality of BTB data portions.