Memory devices, systems including memory devices, and methods of operating memory devices are described, in which security measures may be implemented to control access to a fuse array (or other secure features) of the memory devices based on a secure access key. In some cases, a customer may define and store a user-defined access key in the fuse array. In other cases, a manufacturer of the memory device may define a manufacturer-defined access key (e.g., an access key based on fuse identification (FID), a secret access key), where a host device coupled with the memory device may obtain the manufacturer-defined access key according to certain protocols. The memory device may compare an access key included in a command directed to the memory device with either the user-defined access key or the manufacturer-defined access key to determine whether to permit or prohibit execution of the command based on the comparison.

To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table's entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.

A data processing system (DPS) uses platform protection technology (PPT) to protect some or all of the code and data belonging to certain software modules. The PPT may include a virtual machine monitor (VMM) to enable an untrusted application and a trusted application to run on top of a single operating system (OS), while preventing the untrusted application from accessing memory used by the trusted application. The VMM may use a first extended page table (EPT) to translate a guest physical address (GPA) into a first host physical address (HPA) for the untrusted application. The VMM may use a second EPT to translate the GPA into a second HPA for the trusted application. The first and second EPTs may map the same GPA to different HPAs. Other embodiments are described and claimed.

An apparatus and method for managing different page tables for different privilege levels. For example, one embodiment of a processor comprises: a first control register to store a first base address associated with program code executed at a first privilege level; a second control register to store a second base address associated with program code executed at a second privilege level lower than the first privilege level; and address translation circuitry to identify a first base translation table using the first base address responsive to a first address translation request originating from the program code executed at the first privilege level and to identify a second base translation table using the second base address responsive to a second address translation request originating from the program code executed at the second privilege level.

An apparatus is provided comprising storage elements to store data blocks, where each data block has capability metadata associated therewith identifying whether the data block specifies a capability, at least one capability type being a bounded pointer. Processing circuitry is then arranged to be responsive to a bulk capability metadata operation identifying a plurality of the storage elements, to perform an operation on the capability metadata associated with each data block stored in the plurality of storage elements. Via a single specified operation, this hence enables query and/or modification operations to be performed on multiple items of capability metadata, hence providing more efficient access to such capability metadata.

Memory access circuitry controls access to memory based on ownership information defining, for a given memory region, an owner realm specified from among two or more realms, each realm corresponding to at least a portion of a software processes running on processing circuitry. The owner realm has a right to exclude other realms from accessing data stored within the given memory region. When security configuration parameters for a given realm specify that the given realm is associated with a trusted intermediary realm identified by the security configuration parameters, the trusted intermediary realm may be allowed to perform at least one realm management function for the given realm, e.g. provision of secret keys and/or saving/restoring of security configuration parameters. This can enable use cases where multiple instances of the same realm with common parameters need to be established on the same system at different times or on different systems.

Systems, methods, and computer-readable media for cybersecurity are disclosed. The systems and methods may involve receiving, by an application capable of JavaScript execution, code for execution; executing, before execution of the received code, an intercepting code, wherein the intercepting code is configured to intercept at least one application programming interface (API) invocation by the received code; intercepting, by the intercepting code, an API invocation by the received code; determining that the intercepted API invocation results in a manipulation of a backing store object; and modifying an execution of the intercepted API invocation, wherein the modified execution results in at least one of: a non-predictable memory layout, a non-predictable memory behavior, or a non-predictable property of an object.

Systems, apparatuses, and methods related to a virtual machine register in a computer processor are described. For example, a memory coupled to the computer processor can store instructions of routines of predefined, non-hierarchical domains. The computer processor can store, in the virtual machine register, an identifier of a virtual machine for which the processor is currently executing instructions in a current domain in the set of domains. For example, the processor can implement resource restriction/mapping and/or perform address translation for the virtual machine based on the identifier stored in the virtual machine register.

Examples of the present disclosure describe systems and methods for sharing memory using a multi-ring shared, traversable and dynamic database. In aspects, the database may be synchronized and shared between multiple processes and/or operation mode protection rings of a system. The database may also be persisted to enable the management of information between hardware reboots and application sessions. The information stored in the database may be view independent, traversable, and resizable from various component views of the database. In some aspects, an event processor is additionally described. The event processor may use the database to allocate memory chunks of a shared heap to components/processes in one or more protection modes of the operating system.

Some aspects of this disclosure relate to implementing a thread device that can associate with a thread network. The thread device includes a network processor, a first memory, and a host processor communicatively coupled to the network processor and the first memory. The first memory can be a nonvolatile memory with a first level security protection, and configured to store a first dataset including thread network parameters for the network processor to manage network functions for the thread device associated with the thread network. The host processor is configured to perform various operations associated with the first dataset stored in the first memory. The network processor can be communicatively coupled to a second memory to store a second dataset, where the second dataset has a same content as the first dataset. The network processor is configured to manage the network functions based on the second dataset. The second memory can be a volatile memory with a second level security protection that is less than the first level security protection.