An apparatus comprising memory access circuitry to perform a tag-guarded memory access in response to a received target address and methods of operation of the same are disclosed. In the tag-guarded memory access a guard-tag retrieval operation seeks to retrieve a guard tag stored in association with a block of one or more memory locations comprising an addressed location identified by the received target address, and a guard-tag check operation compares an address tag associated with the received target address with the guard tag retrieved by the guard-tag retrieval operation. When the guard-tag retrieval operation is unsuccessful in retrieving the guard tag, a substitute guard tag value is stored as the guard tag in association with the block of one or more memory locations comprising the addressed location identified by the target address.

A processing device in a host system monitors a data temperature of a plurality of memory pages stored in a host-addressable region of a cache memory component operatively coupled with the host system. The processing device determines that a first memory page of the plurality of memory pages satisfies a first threshold criterion pertaining to the data temperature of the first memory page and sends a first migration command indicating the first memory page to a direct memory access (DMA) engine executing on a memory-mapped storage component operatively coupled with the cache memory component and with the memory-mapped storage component via a peripheral component interconnect express (PCIe) bus. The first migration command causes the DMA engine to initiate a first DMA transfer of the first memory page from the cache memory component to a host-addressable region of the memory-mapped storage component.

According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to determine, for each of a plurality of members in a group, a respective least privilege level for a resource and determine, based on the determined respective least privilege levels, a privilege level to be assigned to the group for the resource. The instructions may also cause the processor to assign the determined privilege level to the group for the resource and apply the assigned privilege level to the members of the group for the resource.

In an embodiment a method includes compiling, by a processor in a compiling phase, a software program intended to be executed by the processor, the processor having secure and non-secure access right level execution contexts, and/or privileged and non-privileged access right level execution contexts and generating, in the compilation phase, instructions in machine language having an exclusively secure access right level when the instructions are intended to be executed in the secure access right level execution context, and instructions having a non-privileged access right level when the instructions are intended to be executed in the non-privileged access right level execution context.

A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

A processor of an aspect includes a decode unit to decode an instruction. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine that an attempted change due to the instruction, to a shadow stack pointer of a shadow stack, would cause the shadow stack pointer to exceed an allowed range. The execution unit is also to take an exception in response to determining that the attempted change to the shadow stack pointer would cause the shadow stack pointer to exceed the allowed range. Other processors, methods, systems, and instructions are disclosed.

A data processing system (DPS) uses platform protection technology (PPT) to protect some or all of the code and data belonging to certain software modules. The PPT may include a virtual machine monitor (VMM) to enable an untrusted application and a trusted application to run on top of a single operating system (OS), while preventing the untrusted application from accessing memory used by the trusted application. The VMM may use a first extended page table (EPT) to translate a guest physical address (GPA) into a first host physical address (HPA) for the untrusted application. The VMM may use a second EPT to translate the GPA into a second HPA for the trusted application. The first and second EPTs may map the same GPA to different HPAs. Other embodiments are described and claimed.

Systems and methods for encryption support for virtual machines. An example method may comprise initializing, by a firmware module associated with a virtual machine running on a host computer system, an exclusion range register associated with the virtual machine with a value specifying a first portion of guest memory, wherein the first portion of the guest memory comprises an exclusion range marked as reserved; encrypting, by the firmware using an ephemeral encryption key, a second portion of the guest memory; booting, by a hypervisor of the host computer system, the virtual machine; and responsive to intercepting, by the hypervisor, a privileged instruction executed by the virtual machine, performing at least one of: copying data for performing the privileged instruction to the first portion of the guest memory or copying data for performing the privileged instruction from the first portion of the guest memory.

Technologies disclosed herein provide cryptographic computing. An example method comprises storing, in a register, an encoded pointer to a memory location, wherein the encoded pointer comprises first context information and a slice of a memory address of the memory location, wherein the first context information includes an identification of a data key; decoding the encoded pointer to obtain the memory address of the memory location; using the memory address obtained by decoding the encoded pointer to access encrypted data at the memory location; and decrypting the encrypted data based on the data key.

A server includes a data cache for storing data objects requested by users logged in under different user roles. Different user roles may have different permissions to access individual fields within a data object. When a cache miss occurs, the cache may begin loading portions of a requested data object from various data sources. Instead of waiting for the entire object to load to change the object state to “valid,” the cache may incrementally update the state through various levels of validity based on the user role of the request. When a portion of the data object used by a low-level user role is received, the object state can be upgraded to be valid for that user role while data for higher-level user roles continues to load. The portion of the data object can then be sent to the low-level user roles without waiting for the rest of the data object to load.