A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Apparatuses, methods and techniques for controlling memory access in a data processing system are disclosed. The operating data processing system comprises multiple subsystems, each comprising at least one processing element and at least one peripheral device. Memory transaction control circuitry receives memory transaction information of a memory transaction comprising a stream identifier indicative of the issuing peripheral device. A main control register indicates an address of a stream table having multiple entries each comprising an owning subsystem identifier. At least one subsystem control register corresponding to each subsystem of the multiple subsystems stores memory access checking configuration information. On receipt of the memory transaction information an entry of the stream table is selected in dependence on the stream identifier. At least one subsystem control register. corresponding to the subsystem identified by the owning subsystem identifier of the entry is selected.

A data processor includes a fabric-attached memory (FAM) interface for coupling to a data fabric and fulfilling memory access instructions. A requestor-side adaptive consistency controller coupled to the FAM interface requests notifications from a fabric manager for the fabric-attached memory regarding changes in requestors authorized to access a FAM region which the data processor is authorized to access. If a notification indicates that more than one requestor is authorized to access the FAM region, fences are activated for selected memory access instructions in a local application.

There is provided a data processing apparatus, which is suitable for verifying memory systems. Processing circuitry issues a plurality of memory access requests to a plurality of addresses in a memory. Point-of-trust circuitry receives the memory access requests from the processing circuitry via a first set of intermediate circuits. Secure channel circuitry enables secure communication of a correspondence between the plurality of addresses from the processing circuitry to the point-of-trust circuitry. The point-of-trust circuitry determines whether the addresses in the memory of the memory access requests received via the first set of intermediate circuits have a predetermined relationship based on the correspondence.

A data processor includes a fabric-attached memory (FAM) interface for coupling to a data fabric and fulfilling memory access instructions. A requestor-side adaptive consistency controller coupled to the FAM interface requests notifications from a fabric manager for the fabric-attached memory regarding changes in requestors authorized to access a FAM region which the data processor is authorized to access. If a notification indicates that more than one requestor is authorized to access the FAM region, fences are activated for selected memory access instructions in a local application.

Systems, methods, and apparatuses for implementing non-redundant metadata storage addressed by bounded capabilities are described. In certain examples, a hardware processor core comprises an execution circuit to generate a first memory access request for a first single object in memory by a first capability and a second memory access request for a second different sized single object in the memory by a second capability, wherein a format of each of the first capability and the second capability comprises a single metadata field for access control of a single object in the memory, a bounds field that is to indicate a lower bound and an upper bound of the single object in the memory to which the single metadata field authorizes access, and an address field to indicate an address in the single object that is to be accessed; and a capability management circuit to determine a first location of a corresponding first metadata field in the memory based on the bounds field of the first capability, proceed with the first memory access request in response to a match of metadata in the single metadata field of the first capability against metadata at the corresponding first metadata field in the memory, determine a second location of a corresponding second metadata field in the memory based on the bounds field of the second capability, and proceed with the second memory access request in response to a match of metadata in the single metadata field of the second capability against metadata at the corresponding second metadata field in the memory.

An apparatus having processing circuitry configured to execute applications involving access to memory may include a CPU and a cache controller. The CPU may be configured to access cache memory for execution of an application. The cache controller may be configured to provide an interface between the CPU and the cache memory. The cache controller may include a bitmask to enable the cache controller to employ a two-level data structure to identify memory exploits using hardware. The two-level data structure may include a page level protection mechanism, and a sub-page level protection mechanism.

A cache coherency management facility to reduce latency in granting exclusive access to a cache in certain situations. A node requests exclusive access to a cache line of the cache. The node is in one region of nodes of a plurality of regions of nodes. The one region of nodes includes the node requesting exclusive access and another node of the computing environment, in which the node and the another node are local to one another as defined by a predetermined criteria. The node requesting exclusive access checks a locality cache coherency state of the another node, the locality cache coherency state being specific to the another node and indicating whether the another node has access to the cache line. Based on the checking indicating that the another node has access to the cache line, a determination is made that the node requesting exclusive access is to be granted exclusive access to the cache line. The determining being independent of transmission of information relating to the cache line from one or more other nodes of the one or more other regions of nodes.

A system and method is provided for probabilistic defense against remote exploitation of memory. In certain embodiments, the system comprises one or more processors, read and execute (RX) portions of memory, read and write (RW) portions of memory, execute only (XOM) portions of memory, and one or more programs stored in the memory. The one or more programs include instructions for maintaining all pointers to RX memory instructions in XOM memory. In addition, the one or more programs include instructions for preventing all direct references to RX memory in RW memory by forcing pointers in RW memory to reference XOM memory first, which then references RX memory instructions.

A computer-implemented method for selectively masking data on virtual storage devices may include (1) identifying data stored on a virtual storage device that can be accessed by a virtual machine, (2) intercepting, from a process executing outside the virtual machine, an attempt by a process of the virtual machine to read the data, (3) determining that the virtual machine process is not authorized to read the data, and (4) in response to determining that the virtual machine process is not authorized to read the data, masking the data from the virtual machine process. Various other methods, systems, and computer-readable media are also disclosed.