In Hierarchical Protection System, E.g., Privilege Levels, Memory Rings, Etc. (epo) Patents (Class 711/E12.097)
-
Patent number: 11960505Abstract: A database export system exports data using a plurality of nodes that process the data to generate structured result files that are partitioned by an export parameter in an export request. The database export system distributes the data and merges the files to avoid small file creation and increase processing speed via parallelism. The database export system generates the result files of a specified maximum size in a final format, where the files are processed merged in a temporary file format. The parallel processing is optimized and constrained per the amount of processing nodes, available memory, requested final file sizes, and operation based ordering to complete data exports in a scalable multi-stage approach.Type: GrantFiled: May 19, 2022Date of Patent: April 16, 2024Assignee: Snowflake Inc.Inventors: Vasile Paraschiv, Saurin Shah, Marianne Shaw, Nileema Shingte
-
Patent number: 11055440Abstract: A data processing apparatus has processing circuitry for executing first software at a first privilege level and second software at a second privilege level higher than the first privilege level. Attributes may be set by the first and second software to indicate whether execution of the data access instruction can be interrupted. For a predetermined type of data access instruction for which the second attribute set by the second software specifies that the instruction can be interrupted, the instruction may be set as interruptable even if the first attribute set by the first software specifies that the execution of the instruction cannot be interrupted.Type: GrantFiled: June 6, 2019Date of Patent: July 6, 2021Assignee: ARM LimitedInventors: Simon John Craske, Antony John Penton
-
Patent number: 10990471Abstract: A disclosed apparatus and method reduce the likelihood of multiple bit single event upset (SEU) errors in space-deployed memory devices and memory macros. For each memory, a bit selection layer effectively increases the mux of the memory bit table, thereby reducing the word size while increasing the word capacity, without changing the total memory capacity. As a result, the separation between the physical bit storage locations for each word is increased, thereby reducing the likelihood of multiple bit SEU errors. A buffer can be implemented if the memory lacks individual bit write control. The memory can be implemented in a core integrated circuit (IC) of an multi-chip module (MCM) hybrid integrated circuit (HIC), and the bit selection layer and/or buffer can be implemented in a chiplet or chiplets of the MCM-HIC.Type: GrantFiled: May 29, 2019Date of Patent: April 27, 2021Assignee: BAE Systems Information and Electronic Systems Integration Inc.Inventor: Jason F. Ross
-
Patent number: 10891146Abstract: A data processing system operates in a plurality of modes including a first privilege mode and a second privilege mode with the first privilege mode giving rights of access that are not available in the second privilege mode. Application code executes in the second privilege mode and generates function calls to hypervisor code which executes in the first privilege mode. These function calls are to perform a secure function requiring the rights of access which are only available in the first privilege mode. Scheduling code which executes in the second privilege mode controls scheduling of both the application code and the hypervisor code. Memory protection circuitry operating with physical addresses serves to control access permissions required to access different regions within the memory address space using configuration data which is written by the hypervisor code.Type: GrantFiled: April 20, 2015Date of Patent: January 12, 2021Assignee: ARM IP LimitedInventors: Milosch Meriac, Hugo John Martin Vincent, James Crosby
-
Patent number: 10860354Abstract: A data processing system operates in a plurality of modes including a first privilege mode and a second privilege mode with the first privilege mode giving rights of access that are not available in the second privilege mode. Application code executes in the second privilege mode and generates function calls to hypervisor code which executes in the first privilege mode. These function calls are to perform a secure function requiring the rights of access which are only available in the first privilege mode. Scheduling code which executes in the second privilege mode controls scheduling of both the application code and the hypervisor code. Memory protection circuitry operating with physical addresses serves to control access permissions required to access different regions within the memory address space using configuration data which is written by the hypervisor code.Type: GrantFiled: April 20, 2015Date of Patent: December 8, 2020Assignee: ARM IP LimitedInventors: Milosch Meriac, Hugo John Martin Vincent, James Crosby
-
Patent number: 10853269Abstract: A secure demand paging system including a secure internal memory, an external non-volatile memory having encrypted and integrity-protected code pages, an external volatile memory for swap pages and a processor coupled to said secure internal memory and to said external non-volatile memory and operable to decrypt and verify the integrity of the code pages thereby to transfer code pages to said secure internal memory directly from said external non-volatile memory bypassing said external volatile memory in respect of the code pages, and to swap out and swap in the swap pages between secure internal memory and said external volatile memory bypassing said external non-volatile memory in respect of the swap pages for said external volatile memory.Type: GrantFiled: April 13, 2016Date of Patent: December 1, 2020Assignee: Texas Instruments IncorporatedInventors: Steven C. Goss, Gregory Remy Philippe Conti, Narendar M. Shankar, Mehdi-Laurent Akkar, Aymeric Vial
-
Patent number: 10235303Abstract: Techniques for protecting software in a computing device are provided. A method according to these techniques includes receiving a request from a non-secure software module to execute an instruction of a secure software module comprising encrypted program code, determining whether the instruction comprises an instruction associated with a controlled point of entry to the secure software module accessible outside of the secure software module, executing one or more instructions of the secure software module responsive to the instruction comprising an instruction associated with the controlled point of entry to the secure software module, and controlling exit from the secure software module to return execution to the non-secure software module.Type: GrantFiled: August 9, 2016Date of Patent: March 19, 2019Assignee: QUALCOMM IncorporatedInventors: David Hartley, Roberto Avanzi, Rosario Cammarota
-
Patent number: 10116436Abstract: Techniques and apparatuses for detecting and preventing memory attacks are described. In one embodiment, for example, an apparatus may include at least one memory comprising a shared memory and a system memory, logic, at least a portion of the logic comprised in hardware coupled to the at least one shared memory, the logic to implement a memory monitor to determine a memory attack by an attacker application against a victim application using the shared memory, and prevent the memory attack, the memory monitor to determine that victim data is being reloaded into the shared memory from the system memory, store the victim data in a monitor memory, flush shared memory data stored in the shared memory, and write the victim data to the shared memory. Other embodiments are described and claimed.Type: GrantFiled: September 26, 2017Date of Patent: October 30, 2018Assignee: INTEL CORPORATIONInventors: Nagaraju N. Kodalapura, Arun Kanuparthi
-
Patent number: 10061940Abstract: A secure protection method executed by a processor is provided. The secure protection method includes the following steps: Perform a security checking before or after executing an instruction according to an instruction security attribute (ISA) of the instruction and a security attribute (SA) of an operational event (OE); and ignore the OE, defer the OE, or raise a security exception when the security checking fails. The OE is generated as a side effect when the processor fetches or executes the instruction, or generated as a monitoring result on the instruction, or generated in response to an external input of the processor.Type: GrantFiled: July 9, 2013Date of Patent: August 28, 2018Assignee: ANDES TECHNOLOGY CORPORATIONInventors: Chi-Chang Lai, Chuan-Hua Chang
-
Patent number: 10002031Abstract: A first thread is placed into a blocked state by causing the thread to perform a blocking pop operation on a hardware-accelerated, single-entry queue. When a synchronization event completes, a second thread may release the first thread from the blocked state pushing a data value onto the hardware accelerated, single-entry queue. The push operation satisfies the blocking pop operation, and the first thread is released.Type: GrantFiled: May 8, 2013Date of Patent: June 19, 2018Assignee: NVIDIA CORPORATIONInventors: Ignacio Llamas, James David Balfour
-
Patent number: 9910794Abstract: A method for executing a program code is suggested, the method comprising: checking a memory access policy resource based on a trigger; and comparing a current program counter with a program counter information provided by the memory access policy resource and, in case the comparison of the current program counter and the program counter information fulfills a predefined condition, conducting a memory access policy check to allow permitted operations.Type: GrantFiled: September 26, 2014Date of Patent: March 6, 2018Assignee: Infineon Technologies AGInventors: Narasimha Kumar Vedala, Bala Nagendra Raja Munjuluri, Prakash Nayak
-
Patent number: 9852083Abstract: A method for executing a program code is suggested, the method comprising: checking a memory access policy resource based on a trigger; and comparing a current program counter with a program counter information provided by the memory access policy resource and, in case the comparison of the current program counter and the program counter information fulfills a predefined condition, conducting a memory access policy check to allow permitted operations.Type: GrantFiled: September 26, 2014Date of Patent: December 26, 2017Assignee: Infineon Technologies AGInventors: Narasimha Kumar Vedala, Bala Nagendra Raja Munjuluri, Prakash Nayak
-
Patent number: 9798873Abstract: A processor can be used to ensure that program code can only be used for a designed purpose and not exploited by malware. Embodiments of an illustrative processor can comprise logic operable to execute a program instruction and to distinguish whether the program instruction is a legitimate branch instruction or a non-legitimate branch instruction.Type: GrantFiled: August 4, 2011Date of Patent: October 24, 2017Assignee: Elwha LLCInventors: Daniel A. Gerrity, Clarence T. Tegreene
-
Patent number: 9767324Abstract: The present application is directed to transparent execution of secret content. A device may be capable of downloading content that may include at least one secret portion, wherein any secret portions of the content may be directed to a secure workplace in the device not accessible to device operating system components, applications, users, etc. The device may then present the content in a manner that allows secret portions of the content to be executed without direct access. For example, the device may download content, and a director module in the device may direct any secret portions of the downloaded content to a secure workspace. During execution of the content, any inputs required by the secret portions may be provided to the secure workspace, and any resulting outputs from the secret portions may then be used during content presentation.Type: GrantFiled: November 22, 2014Date of Patent: September 19, 2017Assignee: INTEL CORPORATIONInventors: Jeffrey C Sedayao, Ivan Jibaja, Srikanth Varadarajan, Reshma Lal, Soham Jayesh Desai
-
Patent number: 9654142Abstract: A system and method for conveying data include the capability to determine whether a transaction request credit has been received at a computer module, the transaction request credit indicating that at least a portion of a transaction request message may be sent. The system and method also include the capability to determine, of a transaction request message is to be sent, whether at least a portion of the transaction request message may be sent and to send the at least a portion of the transaction request message if it may be sent.Type: GrantFiled: July 18, 2014Date of Patent: May 16, 2017Assignee: SILICON GRAPHICS INTERNATIONAL CORP.Inventors: Steven C. Miller, Thomas Edward McGee, Bruce Alan Strangfeld
-
Patent number: 9607165Abstract: Methods, systems, and computer program products for initializing a page with watchdog code, by: positioning a first set of instructions in a first address range on the page; determining that there is a second address range that is unused by the first set of instructions; and initializing the second address range with a second set of instructions, the second set of instructions being watchdog instructions.Type: GrantFiled: February 13, 2015Date of Patent: March 28, 2017Assignee: Red Hat Israel, Ltd.Inventor: Michael Tsirkin
-
Patent number: 9530005Abstract: Techniques for secure data management in a distributed environment are provided. A secure server includes a modified operating system that just allows a kernel application to access a secure hard drive of the secure server. The hard drive comes prepackaged with a service public and private key pair for encryption and decryption services with other secure servers of a network. The hard drive also comes prepackaged with trust certificates to authenticate the other secure servers for secure socket layer (SSL) communications with one another, and the hard drive comes with a data encryption key, which is used to encrypt storage of the secure server. The kernel application is used during data restores, data backups, and/or data versioning operations to ensure secure data management for a distributed network of users.Type: GrantFiled: November 23, 2015Date of Patent: December 27, 2016Assignee: Novell, Inc.Inventor: Gosukonda Naga Venkata Satya Sudhakar
-
Patent number: 9489541Abstract: A computer system comprising a processor and a memory for storing instructions, that when executed by the processor performs a copy protection method. The copy protection method comprises executing a software loop of a first software application in a first operating system. A first call is executed in the software loop to a code portion. A decrypted code portion of the first software application is executed in a second operating system in response to the first call. The code portion is decrypted in response to a successful validation of the first software application.Type: GrantFiled: April 27, 2012Date of Patent: November 8, 2016Assignee: NVIDIA CORPORATIONInventors: Anthony Michael Tamasi, Timothy Paul Lottes, Bojan Skaljak, Fedor Fomichev, Andrew Leighton Edelsten, Jay Huang, Ashutosh Gajanan Rege, Keith Brian Galocy
-
Patent number: 9389793Abstract: A semiconductor device includes, in various embodiments, a memory and a processor, with the processor configured to perform a permission check prior to execution of a memory-access instruction. The permission check comprises evaluating a permission attribute of the memory-access instruction and a permission attribute of a memory location to be accessed. The memory-access instruction is denied unless the permission attribute of the memory-access instruction is compatible with the permission attribute of the memory location to be accessed. In various embodiments, permission attributes are obtained by the processor from a one-time-programmable (OTP) memory module. In various embodiments, the permission attributes are determined based on a source address of the memory-access instruction and an address of the memory location to be accessed. In various embodiments, the OTP memory module stores permission settings that are based on the identity of suppliers for various portions of code stored in the memory.Type: GrantFiled: March 6, 2014Date of Patent: July 12, 2016Assignee: Freescale Semiconductor, Inc.Inventors: Richard Soja, Nancy H. Amedeo
-
Patent number: 9372996Abstract: An approach is provided for protecting data owned by an operating system on a mobile computing device having multiple operating systems. A map specifying protected data regions for the operating systems on the mobile computing device is generated. At least a portion of the map is secured with a shared key. Based on the map and the shared key, and in response to a data cleanup activity being performed by a software utility being executed on another, currently running operating system included in the multiple operating systems, a data region included in the protected data regions is determined to be owned by the operating system. Based on the data region being owned by the operating system and the data region being specified by the map, the data cleanup activity is blocked from being performed on the data region owned by the operating system.Type: GrantFiled: May 15, 2014Date of Patent: June 21, 2016Assignee: International Business Machines CorporationInventors: Blaine H. Dolph, Miku K. Jha, Sandeep R. Patil, Riyazahamad M. Shiraguppi, Gandhi Sivakumar
-
Patent number: 9280671Abstract: A semiconductor device includes a CPU, an EEPROM, and a ROM. The ROM includes an encryption area and a non-encryption area and the encrypted firmware is stored in the encryption area. The semiconductor device includes a decrypter which holds the encryption key, decrypts the encrypted firmware, and supplies the decrypted firmware to the CPU. The EEPROM includes a system area to which an access from the CPU is forbidden in a user mode. The encryption key is divided into split keys of plural bit strings, and stored in the distributed address areas in the system area. An encryption key reading program which is not encrypted is stored in the non-encryption area of the ROM. Executing the encryption key reading program, the CPU reads and reconfigures plural split keys stored in the EEPROM in a distributed manner to restore the encryption key and supplies the restored encryption key to the decrypter.Type: GrantFiled: October 23, 2013Date of Patent: March 8, 2016Assignee: Renesas Electronics CorporationInventors: Takashi Endo, Yosuke Tanno, Yoshiyuki Amanuma, Yuichiro Nariyoshi
-
Patent number: 9235709Abstract: A method and apparatus for protecting the integrity of a mobile terminal are provided. The mobile terminal includes a secure world for preventing unauthorized access to resources, and a normal world other than the secure world. The integrity protection method for the mobile terminal includes sensing a power-on of the mobile terminal, verifying, by a trusted entity in the normal world, the integrity of a first subsequent entity, and sending, when an integrity breach is detected in the first subsequent entity, by the trusted entity, a modification indication signal to the secure world.Type: GrantFiled: February 22, 2013Date of Patent: January 12, 2016Assignee: Samsung Electronics Co., Ltd.Inventors: Bumhan Kim, Sunghoon Yoo, Kyunghee Lee
-
Patent number: 8943288Abstract: Provided is a method of controlling memory access. In a system including a first layer element executed in a privileged mode having a first priority of permission to access the entire region of a memory and second and third layer elements executed in an unprivileged mode having a second priority of permission to access a partial region of the memory, the method of controlling memory access determines whether the memory is accessible for each page that is an address space unit, based on which mode a layer element currently accessing the memory is executed in between the privileged mode and the unprivileged mode; and determines whether the memory is accessible based on which one of the first, second and third layer elements corresponds to a domain currently being attempted to be accessed from among a plurality of domains of the memory.Type: GrantFiled: January 8, 2013Date of Patent: January 27, 2015Assignee: Samsung Electronics Co., Ltd.Inventors: Sung-kwan Heo, Chan-ju Park, Sang-bum Suh, Joo-young Hwang, Jae-min Ryu
-
Patent number: 8918610Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.Type: GrantFiled: December 8, 2004Date of Patent: December 23, 2014Assignee: Infineon Technologies AGInventor: Peter Laackmann
-
Patent number: 8904106Abstract: In a method for allocating space on a logical disk, a computer receives an allocation request to allocate a number of requested logical disk extents. The computer selects one of a first group having an array of logical disk extents and a second group having an array of logical disk extents. The computer selects a group having a number of free logical disk extents that is greater than or equal to the number of requested logical disk extents. The logical disk extents in the array of the first group and in the array of the second group correspond to disk blocks on a logical disk. The logical disk spans one or more physical random access disks. The computer locks the selected group to prevent allocating a logical disk extent other than in response to the allocation request.Type: GrantFiled: June 22, 2011Date of Patent: December 2, 2014Assignee: International Business Machines CorporationInventors: Adekunle Bello, Aruna Yedavilli
-
Patent number: 8788775Abstract: A data processing system 2 including processing circuitry 4 operating in either a first mode or a second mode. Page table data 30 including access control bits 40, 42, is used to control permissions for memory access to memory pages. In the first mode, the access control bits include at least one instance of a redundant encoding. In the second mode, the redundant encoding is removed to provide more efficient use of the access control bit encoding space.Type: GrantFiled: June 28, 2011Date of Patent: July 22, 2014Assignee: Arm LimitedInventor: Richard Roy Grisenthwaite
-
Publication number: 20110314215Abstract: A multi-priority encoder includes a plurality of interconnected, single-priority encoders arranged in descending priority order. The multi-priority encoder includes circuitry for blocking a match output by a lower level single-priority encoder if a higher level single-priority encoder outputs a match output Match data is received from a content addressable memory, and the priority encoder includes address encoding circuitry for outputting the address locations of each highest priority match line flagged by the highest priority indicator. Each single-priority encoder includes a highest priority indicator which has a plurality of indicator segments, each indicator segment being associated with a match line input.Type: ApplicationFiled: July 1, 2011Publication date: December 22, 2011Applicant: Micron Technology, Inc.Inventor: Zvi Regev
-
Patent number: 7991947Abstract: A multi-priority encoder includes a plurality of interconnected, single-priority encoders arranged in descending priority order. The multi-priority encoder includes circuitry for blocking a match output by a lower level single-priority encoder if a higher level single-priority encoder outputs a match output. Match data is received from a content addressable memory, and the priority encoder includes address encoding circuitry for outputting the address locations of each highest priority match line flagged by the highest priority indicator. Each single-priority encoder includes a highest priority indicator which has a plurality of indicator segments, each indicator segment being associated with a match line input.Type: GrantFiled: December 30, 2002Date of Patent: August 2, 2011Assignee: Micron Technology, Inc.Inventor: Zvi Regev
-
Patent number: 7882317Abstract: A first plurality of operating system processes is assigned to a first protection domain, and a second plurality of operating system processes is assigned to a second protection domain. One or more hardware protection mechanisms are used to prevent the first plurality of operating system processes from accessing the memory space of the second plurality of operating system processes, and also to prevent the second plurality of operating system processes from accessing the memory space of the first plurality of operating system processes.Type: GrantFiled: August 4, 2006Date of Patent: February 1, 2011Assignee: Microsoft CorporationInventors: Galen C. Hunt, Chris K. Hawblitzel, James R. Larus, Manuel A. Fahndrich, Mark Aiken
-
Patent number: 7831788Abstract: Systems, methods, apparatus and software can utilize storage resource locks to prevent modification (including relocation) of data in the storage resource while a third-party copy operation directed at the storage resource is occurring. A data transport mechanism such as a data restore application requests that a relevant portion of the storage resource be locked. Once locked, the data transport mechanism requests a data mover to perform a third-party copy operation whereby data is moved from a data source to the locked portion of the storage resource. When the third party-copy operation is complete, the data transport mechanism requests release of the lock on the portion of the storage resource.Type: GrantFiled: May 28, 2004Date of Patent: November 9, 2010Assignee: Symantec Operating CorporationInventors: James P. Ohr, Thomas W. Lanzatella
-
Publication number: 20100228936Abstract: One embodiment of the present invention provides a system that accesses memory locations in an object-addressed memory system. During a memory access in the object-addressed memory system, the system receives an object identifier and an address. The system then uses the object identifier to identify a paged memory object associated with the memory access. Next, the system uses the address and a page table associated with the paged memory object to identify a memory page associated with the memory access. After determining the memory page, the system uses the address to access a memory location in the memory page.Type: ApplicationFiled: March 5, 2009Publication date: September 9, 2010Applicant: SUN MICROSYSTEMS, INC.Inventors: Gregory M. Wright, Christopher A. Vick, Mario I. Wolczko
-
Publication number: 20100106954Abstract: The present invention relates to a microcontroller designed for protection of intellectual digital content. The microcontroller includes a secure CPU, a real-time cipher, and a user programmable multi-layer access control system for internal memory realized by programmable nonvolatile memory. Programmable nonvolatile memory allows in-system and in-application programming for the end user. The programmable nonvolatile memory is mainly used for program code and operating parameter storage. The multiple-layer access control is an integral part of the CPU, providing confidentiality protection to embedded digital content by controlling reading, writing, and/or execution of a code segment according to a set of user-programmed parameters. The cipher incorporates a set of cryptographic rules for data encryption and decryption with row and column manipulation for data storage. All cryptographic operations are executed in parallel with CPU run time without incurring additional latency and delay for system operation.Type: ApplicationFiled: October 23, 2008Publication date: April 29, 2010Inventors: Robert Michael Muchsel, Donald W. Loomis, Edward Tang K. Ma, Mark Alan Lovell, Michael Anthony Quarles
-
Publication number: 20090070540Abstract: A receiving apparatus has a first memory area accessible by a first provider providing first contents and a second memory area accessible by a second provider providing second contents. A receiving unit receives a first access right file and a second access right file. An output unit outputs the first contents or the second contents. A memory control unit stores first information associated with the first contents in the first memory area and stores second information associated with the second contents in the second memory area. A switching unit switches from outputting the first contents to outputting the second contents. A determining unit determines whether the second provider is permitted to access the first memory area. An output controller reads the first information and outputs the second contents based on the first information to the output unit when the second provider is permitted to access the first memory area.Type: ApplicationFiled: September 4, 2008Publication date: March 12, 2009Inventor: Yoshiharu DEWA