Identification and execution of subsets of a plurality of instructions in a more secure execution environment
First Claim
1. At least one non-transitory computer-readable medium having computer-readable code embodied therein, the computer-readable code configured to enable a computing device, in response to execution of the code, to:
- identify and encrypt a first subset of a first plurality of instructions, wherein the first subset comprises a basic block including a second plurality of instructions of the first plurality of instructions, wherein the basic block includes only a single entry point and only a single exit point, to enable one or more instructions of the first plurality of instructions that precede or follow the first subset to be executed in a first execution environment with a first security level, and to enable the first subset to be executed in a second execution environment with a second security level that is more secure than the first security level;
identify and encrypt a second subset; and
concatenate the first and second subsets, the first and second subsets to be executed in the second execution environment; and
generate an index of the concatenated first and second subsets, the index to include a relative virtual address associated with at least one of the first and second subsets.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein for identifying and encrypting a subset of a plurality of instructions, for execution in a more secure execution environment. In various embodiments, the subset may include a single entry point and a single exit point. In various embodiments, one or more instructions of the plurality of instructions that precede or follow the subset may be executed in a first execution environment with a first security level. In various embodiments, the subset may be executed in a second execution environment with a second security level that is more secure than the first security level.
18 Citations
19 Claims
-
1. At least one non-transitory computer-readable medium having computer-readable code embodied therein, the computer-readable code configured to enable a computing device, in response to execution of the code, to:
-
identify and encrypt a first subset of a first plurality of instructions, wherein the first subset comprises a basic block including a second plurality of instructions of the first plurality of instructions, wherein the basic block includes only a single entry point and only a single exit point, to enable one or more instructions of the first plurality of instructions that precede or follow the first subset to be executed in a first execution environment with a first security level, and to enable the first subset to be executed in a second execution environment with a second security level that is more secure than the first security level; identify and encrypt a second subset; and concatenate the first and second subsets, the first and second subsets to be executed in the second execution environment; and generate an index of the concatenated first and second subsets, the index to include a relative virtual address associated with at least one of the first and second subsets. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. At least one non-transitory computer-readable medium having computer-readable code embodied therein, the computer-readable code comprising:
-
a first set of instructions to be executed in a first execution environment of a computing device with a first security level; a second set of instructions, that includes a plurality of instructions, wherein the plurality of instructions includes only a single entry point and only a single exit point, to be executed in a second execution environment of the computing device with a second security level that is more secure than the first security level; a third set of instructions, that includes a single entry point and a single exit point, to be executed in the second execution environment, wherein the second and third sets of instructions are encrypted and concatenated; and an index of the concatenated second and third sets of instructions that comprises a relative virtual address associated with at least one of the second and third sets; and wherein the first set of instructions includes at least one instruction to redirect execution to the second execution environment and at least one instruction to preserve an execution context prior to redirection of execution to the second execution environment, and wherein the second set of instructions includes at least one instruction to restore the execution context. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer-implemented method, comprising:
-
identifying and extracting, by a computing device, a first subset of a first plurality of instructions, wherein the first subset comprises a basic block including a second plurality of instructions, wherein the basic block includes only a single entry point and only a single exit point; adding, by the computing device, to the first plurality of instructions in place of the extracted first subset, one or more instructions to redirect execution from a first execution environment with a first security level to a second execution environment with a second security level that is more secure than the first security level; adding, by the computing device, the first subset to a third plurality of instructions to be executed in the second execution environment, wherein the first plurality of instructions is to be executed in the first execution environment; encrypting, by the computing device, the first subset; identifying and encrypting, by the computing device, a second subset of the plurality of instructions; and concatenating, by the computing device, the first and second subsets; generating, by the computing device, an index of the concatenated first and second subsets, the index to include a relative virtual address associated with at least one of the first and second subsets; and adding, by the computing device, to the third plurality of instructions, one or more instructions to redirect execution from the second execution environment to the first execution environment. - View Dependent Claims (15, 16)
-
-
17. A system, comprising:
-
one or more processing units; a memory operably coupled to the one or more processing units; a first execution environment having a first security level; a second execution environment having a second security level that is more secure than the first security level; and a software converter to be operated by the one or more processing units and configured to; identify and encrypt a first subset of a first plurality of instructions suitable for execution in the second execution environment, to enable one or more instructions of the first plurality of instructions that precede or follow the subset to be executed in the first execution environment, to enable the first subset to be executed in the second execution environment; identify and encrypt a second subset; and concatenate the first and second subsets, the first and second subsets to be executed in the second execution environment; generate an index of the concatenated first and second subsets, the index to include a relative virtual address associated with at least one of the first and second subsets; and add, to the first plurality of instructions which are before the first subset, one or more instructions to preserve an execution context prior to redirection of execution from the first execution environment to the second execution environment; wherein the subset comprises a basic block including a second plurality of instructions of the first plurality of instructions, wherein the basic block includes only a single entry point and only a single exit point. - View Dependent Claims (18, 19)
-
Specification