An apparatus includes a processor, configured to designate a memory region in a memory, and to issue (i) memory-access commands for accessing the memory and (ii) a conditional-fence command associated with the designated memory region. Memory-Access Control Circuitry (MACC) is configured, in response to identifying the conditional-fence command, to allow execution of the memory-access commands that access addresses within the designated memory region, and to defer the execution of the memory-access commands that access addresses outside the designated memory region, until completion of all the memory-access commands that were issued before the conditional-fence command.

A computer storage device having a host interface, a controller, non-volatile storage media, and firmware. The firmware instructs the controller to: limit a crypto key to be used in data access requests made in a first namespace allocated on the non-volatile storage media of the computer storage device; store data in the first namespace in an encrypted form that is to be decrypted using the crypto key; free a portion of the non-volatile storage media from the first namespace, the portion storing the data; and make the portion of the non-volatile storage media available in a second namespace without erasing the data stored in the portion of the non-volatile storage media.

In one embodiment, a system may include a memory unit, a first processing unit configured to write data into a memory region of the memory unit, a second processing unit configured to read data from the memory region, a first control unit configured to control the first processing unit's access to the memory unit and, and a second control unit configured to control the second processing unit's access to the memory unit. The first control unit may be configured to obtain, from the second control unit, a first memory address associated with a data reading process of the second processing unit, receive a write request from the first processing unit, the read request having an associated second memory address, and write data into the memory region based on the write request in response to a determination that the second memory address falls outside of the guarded reading region.

A processor includes a register to store an encoded pointer to a variable in stack memory. The encoded pointer includes an encrypted portion and a fixed plaintext portion of a memory address corresponding to the variable. The processor further includes circuitry to, in response to a memory access request for associated with the variable, decrypt the encrypted portion of the encoded pointer to obtain first upper address bits of the memory address and a memory allocation size for a variable, decode the encoded pointer to obtain the memory address, verify the memory address is valid based, at least in part on the memory allocation size, and in response to determining that the memory address is valid, allow the memory access request.

A firmware protection module implements a hybrid firmware protection scheme on a computing device. The firmware protection module intercepts a message from a processor to a memory of the computing device. The message includes a command and an address in the memory corresponding to a firmware module stored in the module. The firmware protection module determines whether the command in the message is prohibited and whether the address in the message is protected. Responsive to a determination that the command is prohibited and the address is protected, the firmware protection module prevents at least a portion of the message from reaching the memory.

A system is provided to perform secure operations. The system includes an I/O subsystem, a memory subsystem and processors. The processors are operative to execute processes in trusted execution environments (TEEs) and rich execution environments (REEs). Each of the TEEs and the REEs is identified by a corresponding access identifier (AID) and protected by a corresponding system resource protection unit (SRPU). The corresponding SRPU of a TEE includes instructions, when executed by a corresponding processor, cause the corresponding processor to control access to the TEE using a data structure including allowed AIDs and pointers to memory locations accessible by the allowed AIDs.

A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Memory access control circuitry controls handling of a memory access request based on at least one memory access control attribute associated with a region of address space including the target address. The memory access control circuitry comprises: lookup circuitry comprising a plurality of sets of comparison circuitry, each set of comparison circuitry to detect, based on at least one address-region-indicating parameter associated with a corresponding region of address space, whether the target address is within the corresponding region of address space; region mismatch prediction circuitry to provide a region mismatch prediction indicative of which of the sets of comparison circuitry is predicted to detect a region mismatch condition; and comparison disabling circuitry to disable at least one of the sets of comparison circuitry that is predicted by the region mismatch prediction circuitry to detect the region mismatch condition for the target address.

Examples described herein include systems and methods for retaining information about bad memory pages across an operating system reboot. An example method includes detecting, by a first instance of an operating system, an error in a memory page of a non-transitory storage medium of a computing device executing the operating system. The operating system can tag the memory page as a bad memory page, indicating that the memory page should not be used by the operating system. The operating system can also store tag information indicating memory pages of the storage medium that are tagged as bad memory pages. The example method can also include receiving an instruction to reboot the operating system, booting a second instance of the operating system, and providing the tag information to the second instance of the operating system. The operating system can use the tag information to avoid using the bad memory pages.

A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.