In Hierarchical Protection System, E.g., Privilege Levels, Memory Rings, Etc. (epo) Patents (Class 711/E12.097)
  • Patent number: 11960505
    Abstract: A database export system exports data using a plurality of nodes that process the data to generate structured result files that are partitioned by an export parameter in an export request. The database export system distributes the data and merges the files to avoid small file creation and increase processing speed via parallelism. The database export system generates the result files of a specified maximum size in a final format, where the files are processed merged in a temporary file format. The parallel processing is optimized and constrained per the amount of processing nodes, available memory, requested final file sizes, and operation based ordering to complete data exports in a scalable multi-stage approach.
    Type: Grant
    Filed: May 19, 2022
    Date of Patent: April 16, 2024
    Assignee: Snowflake Inc.
    Inventors: Vasile Paraschiv, Saurin Shah, Marianne Shaw, Nileema Shingte
  • Patent number: 11055440
    Abstract: A data processing apparatus has processing circuitry for executing first software at a first privilege level and second software at a second privilege level higher than the first privilege level. Attributes may be set by the first and second software to indicate whether execution of the data access instruction can be interrupted. For a predetermined type of data access instruction for which the second attribute set by the second software specifies that the instruction can be interrupted, the instruction may be set as interruptable even if the first attribute set by the first software specifies that the execution of the instruction cannot be interrupted.
    Type: Grant
    Filed: June 6, 2019
    Date of Patent: July 6, 2021
    Assignee: ARM Limited
    Inventors: Simon John Craske, Antony John Penton
  • Patent number: 10990471
    Abstract: A disclosed apparatus and method reduce the likelihood of multiple bit single event upset (SEU) errors in space-deployed memory devices and memory macros. For each memory, a bit selection layer effectively increases the mux of the memory bit table, thereby reducing the word size while increasing the word capacity, without changing the total memory capacity. As a result, the separation between the physical bit storage locations for each word is increased, thereby reducing the likelihood of multiple bit SEU errors. A buffer can be implemented if the memory lacks individual bit write control. The memory can be implemented in a core integrated circuit (IC) of an multi-chip module (MCM) hybrid integrated circuit (HIC), and the bit selection layer and/or buffer can be implemented in a chiplet or chiplets of the MCM-HIC.
    Type: Grant
    Filed: May 29, 2019
    Date of Patent: April 27, 2021
    Assignee: BAE Systems Information and Electronic Systems Integration Inc.
    Inventor: Jason F. Ross
  • Patent number: 10891146
    Abstract: A data processing system operates in a plurality of modes including a first privilege mode and a second privilege mode with the first privilege mode giving rights of access that are not available in the second privilege mode. Application code executes in the second privilege mode and generates function calls to hypervisor code which executes in the first privilege mode. These function calls are to perform a secure function requiring the rights of access which are only available in the first privilege mode. Scheduling code which executes in the second privilege mode controls scheduling of both the application code and the hypervisor code. Memory protection circuitry operating with physical addresses serves to control access permissions required to access different regions within the memory address space using configuration data which is written by the hypervisor code.
    Type: Grant
    Filed: April 20, 2015
    Date of Patent: January 12, 2021
    Assignee: ARM IP Limited
    Inventors: Milosch Meriac, Hugo John Martin Vincent, James Crosby
  • Patent number: 10860354
    Abstract: A data processing system operates in a plurality of modes including a first privilege mode and a second privilege mode with the first privilege mode giving rights of access that are not available in the second privilege mode. Application code executes in the second privilege mode and generates function calls to hypervisor code which executes in the first privilege mode. These function calls are to perform a secure function requiring the rights of access which are only available in the first privilege mode. Scheduling code which executes in the second privilege mode controls scheduling of both the application code and the hypervisor code. Memory protection circuitry operating with physical addresses serves to control access permissions required to access different regions within the memory address space using configuration data which is written by the hypervisor code.
    Type: Grant
    Filed: April 20, 2015
    Date of Patent: December 8, 2020
    Assignee: ARM IP Limited
    Inventors: Milosch Meriac, Hugo John Martin Vincent, James Crosby
  • Patent number: 10853269
    Abstract: A secure demand paging system including a secure internal memory, an external non-volatile memory having encrypted and integrity-protected code pages, an external volatile memory for swap pages and a processor coupled to said secure internal memory and to said external non-volatile memory and operable to decrypt and verify the integrity of the code pages thereby to transfer code pages to said secure internal memory directly from said external non-volatile memory bypassing said external volatile memory in respect of the code pages, and to swap out and swap in the swap pages between secure internal memory and said external volatile memory bypassing said external non-volatile memory in respect of the swap pages for said external volatile memory.
    Type: Grant
    Filed: April 13, 2016
    Date of Patent: December 1, 2020
    Assignee: Texas Instruments Incorporated
    Inventors: Steven C. Goss, Gregory Remy Philippe Conti, Narendar M. Shankar, Mehdi-Laurent Akkar, Aymeric Vial
  • Patent number: 10235303
    Abstract: Techniques for protecting software in a computing device are provided. A method according to these techniques includes receiving a request from a non-secure software module to execute an instruction of a secure software module comprising encrypted program code, determining whether the instruction comprises an instruction associated with a controlled point of entry to the secure software module accessible outside of the secure software module, executing one or more instructions of the secure software module responsive to the instruction comprising an instruction associated with the controlled point of entry to the secure software module, and controlling exit from the secure software module to return execution to the non-secure software module.
    Type: Grant
    Filed: August 9, 2016
    Date of Patent: March 19, 2019
    Assignee: QUALCOMM Incorporated
    Inventors: David Hartley, Roberto Avanzi, Rosario Cammarota
  • Patent number: 10116436
    Abstract: Techniques and apparatuses for detecting and preventing memory attacks are described. In one embodiment, for example, an apparatus may include at least one memory comprising a shared memory and a system memory, logic, at least a portion of the logic comprised in hardware coupled to the at least one shared memory, the logic to implement a memory monitor to determine a memory attack by an attacker application against a victim application using the shared memory, and prevent the memory attack, the memory monitor to determine that victim data is being reloaded into the shared memory from the system memory, store the victim data in a monitor memory, flush shared memory data stored in the shared memory, and write the victim data to the shared memory. Other embodiments are described and claimed.
    Type: Grant
    Filed: September 26, 2017
    Date of Patent: October 30, 2018
    Assignee: INTEL CORPORATION
    Inventors: Nagaraju N. Kodalapura, Arun Kanuparthi
  • Patent number: 10061940
    Abstract: A secure protection method executed by a processor is provided. The secure protection method includes the following steps: Perform a security checking before or after executing an instruction according to an instruction security attribute (ISA) of the instruction and a security attribute (SA) of an operational event (OE); and ignore the OE, defer the OE, or raise a security exception when the security checking fails. The OE is generated as a side effect when the processor fetches or executes the instruction, or generated as a monitoring result on the instruction, or generated in response to an external input of the processor.
    Type: Grant
    Filed: July 9, 2013
    Date of Patent: August 28, 2018
    Assignee: ANDES TECHNOLOGY CORPORATION
    Inventors: Chi-Chang Lai, Chuan-Hua Chang
  • Patent number: 10002031
    Abstract: A first thread is placed into a blocked state by causing the thread to perform a blocking pop operation on a hardware-accelerated, single-entry queue. When a synchronization event completes, a second thread may release the first thread from the blocked state pushing a data value onto the hardware accelerated, single-entry queue. The push operation satisfies the blocking pop operation, and the first thread is released.
    Type: Grant
    Filed: May 8, 2013
    Date of Patent: June 19, 2018
    Assignee: NVIDIA CORPORATION
    Inventors: Ignacio Llamas, James David Balfour
  • Patent number: 9910794
    Abstract: A method for executing a program code is suggested, the method comprising: checking a memory access policy resource based on a trigger; and comparing a current program counter with a program counter information provided by the memory access policy resource and, in case the comparison of the current program counter and the program counter information fulfills a predefined condition, conducting a memory access policy check to allow permitted operations.
    Type: Grant
    Filed: September 26, 2014
    Date of Patent: March 6, 2018
    Assignee: Infineon Technologies AG
    Inventors: Narasimha Kumar Vedala, Bala Nagendra Raja Munjuluri, Prakash Nayak
  • Patent number: 9852083
    Abstract: A method for executing a program code is suggested, the method comprising: checking a memory access policy resource based on a trigger; and comparing a current program counter with a program counter information provided by the memory access policy resource and, in case the comparison of the current program counter and the program counter information fulfills a predefined condition, conducting a memory access policy check to allow permitted operations.
    Type: Grant
    Filed: September 26, 2014
    Date of Patent: December 26, 2017
    Assignee: Infineon Technologies AG
    Inventors: Narasimha Kumar Vedala, Bala Nagendra Raja Munjuluri, Prakash Nayak
  • Patent number: 9798873
    Abstract: A processor can be used to ensure that program code can only be used for a designed purpose and not exploited by malware. Embodiments of an illustrative processor can comprise logic operable to execute a program instruction and to distinguish whether the program instruction is a legitimate branch instruction or a non-legitimate branch instruction.
    Type: Grant
    Filed: August 4, 2011
    Date of Patent: October 24, 2017
    Assignee: Elwha LLC
    Inventors: Daniel A. Gerrity, Clarence T. Tegreene
  • Patent number: 9767324
    Abstract: The present application is directed to transparent execution of secret content. A device may be capable of downloading content that may include at least one secret portion, wherein any secret portions of the content may be directed to a secure workplace in the device not accessible to device operating system components, applications, users, etc. The device may then present the content in a manner that allows secret portions of the content to be executed without direct access. For example, the device may download content, and a director module in the device may direct any secret portions of the downloaded content to a secure workspace. During execution of the content, any inputs required by the secret portions may be provided to the secure workspace, and any resulting outputs from the secret portions may then be used during content presentation.
    Type: Grant
    Filed: November 22, 2014
    Date of Patent: September 19, 2017
    Assignee: INTEL CORPORATION
    Inventors: Jeffrey C Sedayao, Ivan Jibaja, Srikanth Varadarajan, Reshma Lal, Soham Jayesh Desai
  • Patent number: 9654142
    Abstract: A system and method for conveying data include the capability to determine whether a transaction request credit has been received at a computer module, the transaction request credit indicating that at least a portion of a transaction request message may be sent. The system and method also include the capability to determine, of a transaction request message is to be sent, whether at least a portion of the transaction request message may be sent and to send the at least a portion of the transaction request message if it may be sent.
    Type: Grant
    Filed: July 18, 2014
    Date of Patent: May 16, 2017
    Assignee: SILICON GRAPHICS INTERNATIONAL CORP.
    Inventors: Steven C. Miller, Thomas Edward McGee, Bruce Alan Strangfeld
  • Patent number: 9607165
    Abstract: Methods, systems, and computer program products for initializing a page with watchdog code, by: positioning a first set of instructions in a first address range on the page; determining that there is a second address range that is unused by the first set of instructions; and initializing the second address range with a second set of instructions, the second set of instructions being watchdog instructions.
    Type: Grant
    Filed: February 13, 2015
    Date of Patent: March 28, 2017
    Assignee: Red Hat Israel, Ltd.
    Inventor: Michael Tsirkin
  • Patent number: 9530005
    Abstract: Techniques for secure data management in a distributed environment are provided. A secure server includes a modified operating system that just allows a kernel application to access a secure hard drive of the secure server. The hard drive comes prepackaged with a service public and private key pair for encryption and decryption services with other secure servers of a network. The hard drive also comes prepackaged with trust certificates to authenticate the other secure servers for secure socket layer (SSL) communications with one another, and the hard drive comes with a data encryption key, which is used to encrypt storage of the secure server. The kernel application is used during data restores, data backups, and/or data versioning operations to ensure secure data management for a distributed network of users.
    Type: Grant
    Filed: November 23, 2015
    Date of Patent: December 27, 2016
    Assignee: Novell, Inc.
    Inventor: Gosukonda Naga Venkata Satya Sudhakar
  • Patent number: 9489541
    Abstract: A computer system comprising a processor and a memory for storing instructions, that when executed by the processor performs a copy protection method. The copy protection method comprises executing a software loop of a first software application in a first operating system. A first call is executed in the software loop to a code portion. A decrypted code portion of the first software application is executed in a second operating system in response to the first call. The code portion is decrypted in response to a successful validation of the first software application.
    Type: Grant
    Filed: April 27, 2012
    Date of Patent: November 8, 2016
    Assignee: NVIDIA CORPORATION
    Inventors: Anthony Michael Tamasi, Timothy Paul Lottes, Bojan Skaljak, Fedor Fomichev, Andrew Leighton Edelsten, Jay Huang, Ashutosh Gajanan Rege, Keith Brian Galocy
  • Patent number: 9389793
    Abstract: A semiconductor device includes, in various embodiments, a memory and a processor, with the processor configured to perform a permission check prior to execution of a memory-access instruction. The permission check comprises evaluating a permission attribute of the memory-access instruction and a permission attribute of a memory location to be accessed. The memory-access instruction is denied unless the permission attribute of the memory-access instruction is compatible with the permission attribute of the memory location to be accessed. In various embodiments, permission attributes are obtained by the processor from a one-time-programmable (OTP) memory module. In various embodiments, the permission attributes are determined based on a source address of the memory-access instruction and an address of the memory location to be accessed. In various embodiments, the OTP memory module stores permission settings that are based on the identity of suppliers for various portions of code stored in the memory.
    Type: Grant
    Filed: March 6, 2014
    Date of Patent: July 12, 2016
    Assignee: Freescale Semiconductor, Inc.
    Inventors: Richard Soja, Nancy H. Amedeo
  • Patent number: 9372996
    Abstract: An approach is provided for protecting data owned by an operating system on a mobile computing device having multiple operating systems. A map specifying protected data regions for the operating systems on the mobile computing device is generated. At least a portion of the map is secured with a shared key. Based on the map and the shared key, and in response to a data cleanup activity being performed by a software utility being executed on another, currently running operating system included in the multiple operating systems, a data region included in the protected data regions is determined to be owned by the operating system. Based on the data region being owned by the operating system and the data region being specified by the map, the data cleanup activity is blocked from being performed on the data region owned by the operating system.
    Type: Grant
    Filed: May 15, 2014
    Date of Patent: June 21, 2016
    Assignee: International Business Machines Corporation
    Inventors: Blaine H. Dolph, Miku K. Jha, Sandeep R. Patil, Riyazahamad M. Shiraguppi, Gandhi Sivakumar
  • Patent number: 9280671
    Abstract: A semiconductor device includes a CPU, an EEPROM, and a ROM. The ROM includes an encryption area and a non-encryption area and the encrypted firmware is stored in the encryption area. The semiconductor device includes a decrypter which holds the encryption key, decrypts the encrypted firmware, and supplies the decrypted firmware to the CPU. The EEPROM includes a system area to which an access from the CPU is forbidden in a user mode. The encryption key is divided into split keys of plural bit strings, and stored in the distributed address areas in the system area. An encryption key reading program which is not encrypted is stored in the non-encryption area of the ROM. Executing the encryption key reading program, the CPU reads and reconfigures plural split keys stored in the EEPROM in a distributed manner to restore the encryption key and supplies the restored encryption key to the decrypter.
    Type: Grant
    Filed: October 23, 2013
    Date of Patent: March 8, 2016
    Assignee: Renesas Electronics Corporation
    Inventors: Takashi Endo, Yosuke Tanno, Yoshiyuki Amanuma, Yuichiro Nariyoshi
  • Patent number: 9235709
    Abstract: A method and apparatus for protecting the integrity of a mobile terminal are provided. The mobile terminal includes a secure world for preventing unauthorized access to resources, and a normal world other than the secure world. The integrity protection method for the mobile terminal includes sensing a power-on of the mobile terminal, verifying, by a trusted entity in the normal world, the integrity of a first subsequent entity, and sending, when an integrity breach is detected in the first subsequent entity, by the trusted entity, a modification indication signal to the secure world.
    Type: Grant
    Filed: February 22, 2013
    Date of Patent: January 12, 2016
    Assignee: Samsung Electronics Co., Ltd.
    Inventors: Bumhan Kim, Sunghoon Yoo, Kyunghee Lee
  • Patent number: 8943288
    Abstract: Provided is a method of controlling memory access. In a system including a first layer element executed in a privileged mode having a first priority of permission to access the entire region of a memory and second and third layer elements executed in an unprivileged mode having a second priority of permission to access a partial region of the memory, the method of controlling memory access determines whether the memory is accessible for each page that is an address space unit, based on which mode a layer element currently accessing the memory is executed in between the privileged mode and the unprivileged mode; and determines whether the memory is accessible based on which one of the first, second and third layer elements corresponds to a domain currently being attempted to be accessed from among a plurality of domains of the memory.
    Type: Grant
    Filed: January 8, 2013
    Date of Patent: January 27, 2015
    Assignee: Samsung Electronics Co., Ltd.
    Inventors: Sung-kwan Heo, Chan-ju Park, Sang-bum Suh, Joo-young Hwang, Jae-min Ryu
  • Patent number: 8918610
    Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.
    Type: Grant
    Filed: December 8, 2004
    Date of Patent: December 23, 2014
    Assignee: Infineon Technologies AG
    Inventor: Peter Laackmann
  • Patent number: 8904106
    Abstract: In a method for allocating space on a logical disk, a computer receives an allocation request to allocate a number of requested logical disk extents. The computer selects one of a first group having an array of logical disk extents and a second group having an array of logical disk extents. The computer selects a group having a number of free logical disk extents that is greater than or equal to the number of requested logical disk extents. The logical disk extents in the array of the first group and in the array of the second group correspond to disk blocks on a logical disk. The logical disk spans one or more physical random access disks. The computer locks the selected group to prevent allocating a logical disk extent other than in response to the allocation request.
    Type: Grant
    Filed: June 22, 2011
    Date of Patent: December 2, 2014
    Assignee: International Business Machines Corporation
    Inventors: Adekunle Bello, Aruna Yedavilli
  • Patent number: 8788775
    Abstract: A data processing system 2 including processing circuitry 4 operating in either a first mode or a second mode. Page table data 30 including access control bits 40, 42, is used to control permissions for memory access to memory pages. In the first mode, the access control bits include at least one instance of a redundant encoding. In the second mode, the redundant encoding is removed to provide more efficient use of the access control bit encoding space.
    Type: Grant
    Filed: June 28, 2011
    Date of Patent: July 22, 2014
    Assignee: Arm Limited
    Inventor: Richard Roy Grisenthwaite
  • Publication number: 20110314215
    Abstract: A multi-priority encoder includes a plurality of interconnected, single-priority encoders arranged in descending priority order. The multi-priority encoder includes circuitry for blocking a match output by a lower level single-priority encoder if a higher level single-priority encoder outputs a match output Match data is received from a content addressable memory, and the priority encoder includes address encoding circuitry for outputting the address locations of each highest priority match line flagged by the highest priority indicator. Each single-priority encoder includes a highest priority indicator which has a plurality of indicator segments, each indicator segment being associated with a match line input.
    Type: Application
    Filed: July 1, 2011
    Publication date: December 22, 2011
    Applicant: Micron Technology, Inc.
    Inventor: Zvi Regev
  • Patent number: 7991947
    Abstract: A multi-priority encoder includes a plurality of interconnected, single-priority encoders arranged in descending priority order. The multi-priority encoder includes circuitry for blocking a match output by a lower level single-priority encoder if a higher level single-priority encoder outputs a match output. Match data is received from a content addressable memory, and the priority encoder includes address encoding circuitry for outputting the address locations of each highest priority match line flagged by the highest priority indicator. Each single-priority encoder includes a highest priority indicator which has a plurality of indicator segments, each indicator segment being associated with a match line input.
    Type: Grant
    Filed: December 30, 2002
    Date of Patent: August 2, 2011
    Assignee: Micron Technology, Inc.
    Inventor: Zvi Regev
  • Patent number: 7882317
    Abstract: A first plurality of operating system processes is assigned to a first protection domain, and a second plurality of operating system processes is assigned to a second protection domain. One or more hardware protection mechanisms are used to prevent the first plurality of operating system processes from accessing the memory space of the second plurality of operating system processes, and also to prevent the second plurality of operating system processes from accessing the memory space of the first plurality of operating system processes.
    Type: Grant
    Filed: August 4, 2006
    Date of Patent: February 1, 2011
    Assignee: Microsoft Corporation
    Inventors: Galen C. Hunt, Chris K. Hawblitzel, James R. Larus, Manuel A. Fahndrich, Mark Aiken
  • Patent number: 7831788
    Abstract: Systems, methods, apparatus and software can utilize storage resource locks to prevent modification (including relocation) of data in the storage resource while a third-party copy operation directed at the storage resource is occurring. A data transport mechanism such as a data restore application requests that a relevant portion of the storage resource be locked. Once locked, the data transport mechanism requests a data mover to perform a third-party copy operation whereby data is moved from a data source to the locked portion of the storage resource. When the third party-copy operation is complete, the data transport mechanism requests release of the lock on the portion of the storage resource.
    Type: Grant
    Filed: May 28, 2004
    Date of Patent: November 9, 2010
    Assignee: Symantec Operating Corporation
    Inventors: James P. Ohr, Thomas W. Lanzatella
  • Publication number: 20100228936
    Abstract: One embodiment of the present invention provides a system that accesses memory locations in an object-addressed memory system. During a memory access in the object-addressed memory system, the system receives an object identifier and an address. The system then uses the object identifier to identify a paged memory object associated with the memory access. Next, the system uses the address and a page table associated with the paged memory object to identify a memory page associated with the memory access. After determining the memory page, the system uses the address to access a memory location in the memory page.
    Type: Application
    Filed: March 5, 2009
    Publication date: September 9, 2010
    Applicant: SUN MICROSYSTEMS, INC.
    Inventors: Gregory M. Wright, Christopher A. Vick, Mario I. Wolczko
  • Publication number: 20100106954
    Abstract: The present invention relates to a microcontroller designed for protection of intellectual digital content. The microcontroller includes a secure CPU, a real-time cipher, and a user programmable multi-layer access control system for internal memory realized by programmable nonvolatile memory. Programmable nonvolatile memory allows in-system and in-application programming for the end user. The programmable nonvolatile memory is mainly used for program code and operating parameter storage. The multiple-layer access control is an integral part of the CPU, providing confidentiality protection to embedded digital content by controlling reading, writing, and/or execution of a code segment according to a set of user-programmed parameters. The cipher incorporates a set of cryptographic rules for data encryption and decryption with row and column manipulation for data storage. All cryptographic operations are executed in parallel with CPU run time without incurring additional latency and delay for system operation.
    Type: Application
    Filed: October 23, 2008
    Publication date: April 29, 2010
    Inventors: Robert Michael Muchsel, Donald W. Loomis, Edward Tang K. Ma, Mark Alan Lovell, Michael Anthony Quarles
  • Publication number: 20090070540
    Abstract: A receiving apparatus has a first memory area accessible by a first provider providing first contents and a second memory area accessible by a second provider providing second contents. A receiving unit receives a first access right file and a second access right file. An output unit outputs the first contents or the second contents. A memory control unit stores first information associated with the first contents in the first memory area and stores second information associated with the second contents in the second memory area. A switching unit switches from outputting the first contents to outputting the second contents. A determining unit determines whether the second provider is permitted to access the first memory area. An output controller reads the first information and outputs the second contents based on the first information to the output unit when the second provider is permitted to access the first memory area.
    Type: Application
    Filed: September 4, 2008
    Publication date: March 12, 2009
    Inventor: Yoshiharu DEWA