Patents by Inventor Yinqian Zhang

Yinqian Zhang has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20250231743
    Abstract: Embodiments of this specification provide a method and an apparatus for managing a user-mode program in a target operating system. The target operating system is written in a Rust language. The Rust language includes an unsafe keyword. The method includes: in response to a kernel processing program requesting, by calling an interface function, to enter a user mode to execute a target program, confirming, by the user-mode interface module, security of a register access related to the request, where the kernel processing program is located at a non-privilege level and has no permission to use the unsafe keyword, and the user-mode interface module does not include the unsafe keyword; and activating, by the basic code module, a target page table corresponding to the target program through the register access by using first code that includes the unsafe keyword, and setting a mode of the operating system to the user mode.
    Type: Application
    Filed: January 10, 2025
    Publication date: July 17, 2025
    Inventors: Yuke PENG, Hongliang TIAN, Shoumeng YAN, Yinqian ZHANG
  • Publication number: 20250231888
    Abstract: Embodiments of this specification provide a method and an apparatus for memory management in a target operating system. The target operating system is written in a Rust language. The Rust language includes an unsafe keyword. The method is performed by a memory management module. The memory management module includes a management interface module and a kernel code module. The method includes: receiving, by the management interface module, a memory request sent by program code, where neither the program code nor the management interface module includes a code segment using the unsafe keyword; and when target security assurance is ensured based on the management interface module, performing, by the kernel code module, a memory operation corresponding to the memory request by using code that includes the unsafe keyword, where the target security assurance is related to the memory operation.
    Type: Application
    Filed: January 10, 2025
    Publication date: July 17, 2025
    Inventors: Yuke PENG, Hongliang TIAN, Shoumeng YAN, Yinqian ZHANG
  • Publication number: 20250232031
    Abstract: Embodiments of this specification provide a method and an apparatus for device management in a target operating system. The target operating system is written in a Rust language. The Rust language includes an unsafe keyword. The method relates to a device driver of a peripheral device and a device management module. The method includes: receiving, by an interface module in the device management module, a target request sent by the device driver, where the target request is an operation request related to interrupt configuration or access of the peripheral device, and the interface module includes no code segment using the unsafe keyword; performing, by the interface module, a security check related to the operation request; and after the security check succeeds, performing, by a kernel code module in the device management module, a target operation corresponding to the operation request by using code that includes the unsafe keyword.
    Type: Application
    Filed: January 10, 2025
    Publication date: July 17, 2025
    Inventors: Yuke PENG, Hongliang TIAN, Shoumeng YAN, Yinqian ZHANG
  • Publication number: 20250190566
    Abstract: TLB poisoning attacks take advantage of security issues of translation lookaside buffer (TLB) management on SEV processors in Secure Encrypted Virtualization (SEV) virtual machines (VMs). In various embodiments, a hypervisor may poison TLB entries between two processes of a SEV VM to compromise the integrity and confidentiality of the SEV VM. Variants of TLB poisoning attacks and end-to-end attacks are shown to be successful on both Advanced Micro Devices (AMD) SEV and SEV-Encrypted State (SEV-ES). Countermeasures for thwarting TLB poisoning attacks include hardware-enforced TLB flush processes and re-exec schemes that, among other things, prevent attackers from manipulating TLB entries and causing a privileged victim process to execute malicious code in an attempt to bypass a password authentication.
    Type: Application
    Filed: February 13, 2025
    Publication date: June 12, 2025
    Applicant: Baidu USA, LLC
    Inventors: Huibo Wang, Kang Li, Mengyuan Li, Yinqian Zhang, Yueqiang Cheng
  • Patent number: 12254087
    Abstract: TLB poisoning attacks take advantage of security issues of translation lookaside buffer (TLB) management on SEV processors in Secure Encrypted Virtualization (SEV) virtual machines (VMs). In various embodiments, a hypervisor may poison TLB entries between two processes of a SEV VM to compromise the integrity and confidentiality of the SEV VM. Variants of TLB poisoning attacks and end-to-end attacks are shown to be successful on both Advanced Micro Devices (AMD) SEV and SEV-Encrypted State (SEV-ES). Countermeasures for thwarting TLB poisoning attacks include hardware-enforced TLB flush processes and re-exec schemes that, among other things, prevent attackers from manipulating TLB entries and causing a privileged victim process to execute malicious code in an attempt to bypass a password authentication.
    Type: Grant
    Filed: May 17, 2022
    Date of Patent: March 18, 2025
    Inventors: Huibo Wang, Kang Li, Mengyuan Li, Yinqian Zhang, Yueqiang Cheng
  • Publication number: 20230098117
    Abstract: TLB poisoning attacks take advantage of security issues of translation lookaside buffer (TLB) management on SEV processors in Secure Encrypted Virtualization (SEV) virtual machines (VMs). In various embodiments, a hypervisor may poison TLB entries between two processes of a SEV VM to compromise the integrity and confidentiality of the SEV VM. Variants of TLB poisoning attacks and end-to-end attacks are shown to be successful on both Advanced Micro Devices (AMD) SEV and SEV-Encrypted State (SEV-ES). Countermeasures for thwarting TLB poisoning attacks include hardware-enforced TLB flush processes and re-exec schemes that, among other things, prevent attackers from manipulating TLB entries and causing a privileged victim process to execute malicious code in an attempt to bypass a password authentication.
    Type: Application
    Filed: May 17, 2022
    Publication date: March 30, 2023
    Applicant: Baidu USA LLC
    Inventors: Huibo WANG, Kang LI, Mengyuan LI, Yinqian ZHANG, Yueqiang CHENG
  • Publication number: 20230097216
    Abstract: TLB poisoning attacks take advantage of security issues of translation lookaside buffer (TLB) management on SEV processors in Secure Encrypted Virtualization (SEV) virtual machines (VMs). In various embodiments, a hypervisor may poison TLB entries between two processes of a SEV VM to compromise the integrity and confidentiality of the SEV VM. Variants of TLB poisoning attacks and end-to-end attacks are shown to be successful on both Advanced Micro Devices (AMD) SEV and SEV-Encrypted State (SEV-ES). Countermeasures for thwarting TLB poisoning attacks include hardware-enforced TLB flush processes and re-exec schemes that, among other things, prevent attackers from manipulating TLB entries and causing a privileged victim process to execute malicious code in an attempt to bypass a password authentication.
    Type: Application
    Filed: May 17, 2022
    Publication date: March 30, 2023
    Applicant: Baidu USA LLC
    Inventors: Huibo WANG, Kang LI, Mengyuan LI, Yinqian ZHANG, Yueqiang CHENG
  • Publication number: 20230097604
    Abstract: TLB poisoning attacks take advantage of security issues of translation lookaside buffer (TLB) management on SEV processors in Secure Encrypted Virtualization (SEV) virtual machines (VMs). In various embodiments, a hypervisor may poison TLB entries between two processes of a SEV VM to compromise the integrity and confidentiality of the SEV VM. Variants of TLB poisoning attacks and end-to-end attacks are shown to be successful on both Advanced Micro Devices (AMD) SEV and SEV-Encrypted State (SEV-ES). Countermeasures for thwarting TLB poisoning attacks include hardware-enforced TLB flush processes and re-exec schemes that, among other things, prevent attackers from manipulating TLB entries and causing a privileged victim process to execute malicious code in an attempt to bypass a password authentication.
    Type: Application
    Filed: May 17, 2022
    Publication date: March 30, 2023
    Applicant: Baidu USA LLC
    Inventors: Huibo WANG, Kang LI, Mengyuan LI, Yinqian ZHANG, Yueqiang CHENG
  • Publication number: 20230059273
    Abstract: AMD's Secure Encrypted Virtualization (SEV) is a hardware extension available in AMD's EPYC™ server processors to support confidential cloud computing. Although known attacks against SEV, which exploit its lack of encryption in the virtual machine (VM) control block or the lack of integrity protection of the encrypted memory and nested page tables, have been addressed in subsequent releases of SEV-Encrypted State (SEV-ES) and SEV-Secure Nested Paging (SEV-SNP), a new CipherLeaks attack presents a previously unexplored vulnerability for SEV-ES and SEV-SNP. The attack allows a privileged adversary to infer a guest VM's execution states or recover certain plaintext, e.g., to steal private keys from the constant-time implementation of the Rivest-Shamir-Adleman (RSA) algorithm and the Elliptic Curve Digital Signature Algorithm (ECDSA) in the latest OpenSSL library.
    Type: Application
    Filed: April 7, 2022
    Publication date: February 23, 2023
    Applicant: Baidu USA LLC
    Inventors: Huibo WANG, Kang LI, Mengyuan LI, Yinqian ZHANG, Yueqiang CHENG
  • Patent number: 9009385
    Abstract: At least one virtual machine implemented on a given physical machine in an information processing system is able to detect the presence of one or more other virtual machines that are also co-resident on that same physical machine. More particularly, at least one virtual machine is configured to avoid usage of a selected portion of a memory resource of the physical machine for a period of time, and to monitor the selected portion of the memory resource for activity during the period of time. Detection of a sufficient level of such activity indicates that the physical machine is also being shared by at least one other virtual machine. The memory resource of the physical machine may comprise, for example, a cache memory, and the selected portion of the memory resource may comprise one or more randomly selected sets of the cache memory.
    Type: Grant
    Filed: June 30, 2011
    Date of Patent: April 14, 2015
    Assignee: EMC Corporation
    Inventors: Ari Juels, Alina M. Oprea, Michael Kendrick Reiter, Yinqian Zhang
  • Patent number: 8935675
    Abstract: A method includes receiving a budget cost for monitoring a plurality of tracepoints that occur as a result of operation of a device. The method further includes organizing a plurality of tracepoints into buckets such that each of the buckets corresponds to a range of expected interarrival times, and all tracepoints in a bucket have an expected interarrival time that is within the range for that bucket. The method further includes assigning a trigger to a first plurality of the bucketed tracepoints to yield a plurality of triggered tracepoints, wherein the triggers are proportionally assigned such that a tracepoint having a low expected interarrival time is less likely to be assigned a trigger than an tracepoint having a associated expected interarrival time such that an expected cost of the triggered tracepoints does not exceed the budget cost. Additionally, the method includes monitoring tracepoint occurrence during a first period of operation.
    Type: Grant
    Filed: September 25, 2013
    Date of Patent: January 13, 2015
    Assignee: Google Inc.
    Inventors: Michael Daniel Vrable, Ulfar Erlingsson, Yinqian Zhang
  • Patent number: 8689282
    Abstract: Cloud infrastructure of a cloud service provider comprises a processing platform implementing a security policy enforcement framework. The security policy enforcement framework comprises a policy analyzer that is configured to identify at least one security policy associated with at least one tenant of the cloud service provider, to analyze the security policy against configuration information characterizing the cloud infrastructure of the cloud service provider, and to control execution of one or more applications of said at least one tenant within the cloud infrastructure in accordance with the security policy, based at least in part on one or more results of the analysis of the security policy. The security policy enforcement framework may be implemented in a platform-as-a-service (PaaS) layer of the cloud infrastructure, and may comprise a runtime controller, an operating system controller, a hypervisor controller and a PaaS controller.
    Type: Grant
    Filed: December 23, 2011
    Date of Patent: April 1, 2014
    Assignees: EMC Corporation, University of North Carolina at Chapel Hill
    Inventors: Alina M. Oprea, Yinqian Zhang, Vijay Ganti, John P. Field, Ari Juels, Michael Kendrick Reiter