A device may load a process under test into virtual memory associated with the device. The virtual memory may include a plurality of memory pages. The device may insert a malware inspection element and a memory tracking element into the process under test and may provide a notification of an event associated with the process under test to a memory tracking element. The device may identify, using the memory tracking element, one or more memory pages of the plurality of memory pages. The one or more memory pages may be assigned to, and used by, the process under test. The device may generate, based on identifying the one or more memory pages, a memory map, associated with the process under test, that may include information identifying the one or more memory pages as being assigned to, and used by, the process under test.

Disclosed are various embodiments for various approaches for implementing trust domains to provide boundaries between PCIe devices connected to the same PCIe switch. A first trust identifier can be assigned to a first virtual machine hosted by the computing device. The first trust identifier can also be assigned to a first PCIe device assigned to the first virtual machine. Later, it can be determined that a second PCIe device connected to the PCIe switch is assigned a second trust identifier assigned to a second virtual machine. An Address Control Services (ACS) direct translated bit for peer-to-peer memory requests in the PCIe switch can be disabled in response to a determination that the second PCIe device is associated with the second trust identifier assigned to the second virtual machine.

Systems, apparatuses, and methods related to a computer system having a page table entry containing security settings for calls from predefined domains are described. The page table entry can be used to map a virtual memory address to a physical memory address. In response to a call to execute a routine identified using the virtual memory address, a security setting corresponding to the execution domain from which the call initiates can be extracted from the page table entry to determine whether a security measure is to be used. For example, a shadow stack structure can be used to protect the private stack content of the routine from being access by a caller and/or to protect the private stack content of the caller from being access by the callee.

A system includes a memory and a processor. The memory is in communication with the processor and configured to initialize a secure interface configured to provide access to a virtual machine (VM) from a device, where the VM is associated with a level of security. A buffer is allocated and associated with the secure interface, where the level of security of the VM indicates whether the device has access to guest memory of the VM via the buffer. The buffer is then provided to the device. Inputs/outputs (I/Os) are sent between the device and the VM using the secure interface.

This disclosure is directed to generating a set of data elements for more secure encryption or more resilient decryption associated with generating a target set of conditional data elements. The target set of conditional data elements may fulfill a condition. Public keys associated with an encrypted message may be associated with conditional data elements of the target set of conditional data elements. By performing at least one cycle of decryption associated with the public keys, an encrypted message may be decrypted.

In an embodiment, an apparatus includes a memory access controller to be coupled to a memory and a memory management unit (MMU) coupled to the memory access controller. The MMU is to receive a memory transaction comprising an original transaction security attribute from a first device; responsive to the memory transaction comprising a first physical address of the memory, transmit the memory transaction to the memory access controller; and responsive to the memory transaction comprising a virtual address, generate a translated memory transaction comprising a translated physical address of the memory based on the virtual address and a translated transaction security attribute and transmit the translated memory transaction to the memory access controller, the translated physical address and the translated transaction security attribute associated with an operating system (OS) memory region of the memory associated with an OS. Other embodiments are described and claimed.

An apparatus is provided for determining, for use in a tag-guarded memory, a selected tag value from a plurality of tag values. The apparatus comprises ordered list generation circuitry to receive an excluded tag vector comprising a plurality of fields, where each field is associated with a tag value and identifies whether the associated tag value is excluded from use. The ordered list generation circuitry is arranged to generate, from the excluded tag vector, an ordered list of non-excluded tag values. The apparatus further comprises count determination circuitry to determine, using the excluded tag vector and an identified start tag value, a count value indicative of a number of non-excluded tag values occurring in a region of the excluded tag vector bounded by an initial field and a field corresponding to the start tag value. The apparatus also comprises tag selection circuitry to determine the selected tag value from the ordered list based on the count value and an identified offset which indicates a required number of non-excluded tag values between the start tag value and the selected tag value.

An embodiment of an integrated circuit comprises circuitry to store memory protection information for a non-host memory in a memory protection cache, and perform one or more memory protection checks on a translated access request for the non-host memory based on the stored memory protection information. Other embodiments are disclosed and claimed.

A secure processor and a semiconductor system including the same is provided. Provided is a system on chip comprising a secure processor, wherein the secure processor includes: a random access memory (RAM) including a RAM cache area storing a page and a timestamp table storing a timestamp, an encryption/decryption engine configured to encrypt the page by using the timestamp, and a direct memory access (DMA) module configured to transmit the encrypted page to a swap area of a first memory disposed outside the system on chip, wherein the first memory includes a tag table area storing a tag generated by the encryption/decryption engine encrypting the page and a timestamp backup area backing up the timestamp, and the swap area, the tag table area, and the time stamp backup area are backed up in a second memory disposed outside the system on chip.

According to a first aspect, execution logic is configured to perform a linear capability transfer operation which transfers a physical capability from a partition of a first software modules to a partition of a second of software module without retaining it in the partition of the first. According to a second, alternative or additional aspect, the execution logic is configured to perform a sharding operation whereby a physical capability is divided into at least two instances, which may later be combined.