Software cryptoprocessor

US 9,639,482 B2
Filed: 08/06/2015
Issued: 05/02/2017
Est. Priority Date: 09/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method for securing information stored by a computer, the computer having a processor and a main memory, the processor having a core with cache memory for storing instructions for execution by the core, the method comprising:

loading an agent into the processor and storing the agent into the cache memory so that the agent is resident in the cache memory; and

under control of the core executing instructions of the agent;

upon detecting transmission of encrypted content from the main memory to the cache memory,retrieving the encrypted content from the cache memory;

decrypting the encrypted content; and

storing the decrypted content into the cache memory;

when the decrypted content is to be evicted from the cache memory to the main memory,retrieving the decrypted content from cache memory;

encrypting the decrypted content as newly encrypted content; and

storing the newly encrypted content into the cache memory so that the encrypted content, rather than the decrypted content, is evicted.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security of information—both code and data—stored in a computer'"'"'s system memory is provided by an agent loaded into and at run time resident in a CPU cache. Memory writes from the CPU are encrypted by the agent before writing and reads into the CPU are decrypted by the agent before they reach the CPU. The cache-resident agent also optionally validates the encrypted information stored in the system memory. Support for I/O devices and cache protection from unsafe DMA of the cache by devices is also provided.

93 Citations

View as Search Results

20 Claims

1. A method for securing information stored by a computer, the computer having a processor and a main memory, the processor having a core with cache memory for storing instructions for execution by the core, the method comprising:
- loading an agent into the processor and storing the agent into the cache memory so that the agent is resident in the cache memory; and
  
  under control of the core executing instructions of the agent;
  
  upon detecting transmission of encrypted content from the main memory to the cache memory,retrieving the encrypted content from the cache memory;
  
  decrypting the encrypted content; and
  
  storing the decrypted content into the cache memory;
  
  when the decrypted content is to be evicted from the cache memory to the main memory,retrieving the decrypted content from cache memory;
  
  encrypting the decrypted content as newly encrypted content; and
  
  storing the newly encrypted content into the cache memory so that the encrypted content, rather than the decrypted content, is evicted.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising detecting transmission of encrypted content from the main memory to the cache memory based on a page fault resulting from accessing a page that contains the encrypted content.
  - 3. The method of claim 1, wherein the agent is part of a cache management module of an operating system.
  - 4. The method of claim 1, wherein the main memory includes a memory address space, wherein the method further comprises:
    - organizing the memory address space into memory blocks;
      
      determining a non-cache-conflicting set of the memory blocks; and
      
      marking the non-cache-conflicting set of the memory blocks as cacheable to preventing cache conflicts by the main memory.
  - 5. The method of claim 1, further comprising:
    - storing a data pattern in a cache-backing memory region; and
      
      inspecting contents of the cache-backing memory region to determine a change in the data pattern, said change in the data pattern being indicative of eviction of at least a part of the contents in the cache-backing memory region.
  - 6. The method of claim 1, further comprising prior to loading the agent into the processor, calculating and storing a first hash value of the agent.
  - 7. The method of claim 6, further comprising:
    - after storing the agent into cache memory,calculating a second hash value of the agent stored in the cache memory; and
      
      comparing the second hash value with the first hash value to determine whether the agent has been modified.

8. A system for securing information stored by a computer, comprising:
- a processor having a core with cache memory;
  
  a main memory;
  
  an application for accessing sensitive content that is stored in main memory as encrypted content; and
  
  an agent stored in the cache memory so that the agent is resident in the cache memory, wherein the agent is configured to;
  
  detect that the application has executed an instruction to cause the encrypted content to be transmitted from main memory to the cache memory;
  
  decrypt the encrypted content that is stored in cache memory;
  
  store the decrypted content into the cache memory; and
  
  cause control to be passed to the application for accessing the decrypted content.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The system of claim 8, wherein the agent is further configured to:
    - when the decrypted content is to be evicted from the cache memory to the main memory,encrypt the decrypted content as newly encrypted content; and
      
      store the newly encrypted content into the cache memory so that the encrypted content, rather than the decrypted content, is evicted.
  - 10. The system of claim 8, wherein the agent detects that the application has executed an instruction to cause the encrypted content to be transmitted from main memory to the cache memory based on a page fault resulting from accessing a page that contains the encrypted content.
  - 11. The system of claim 8, wherein the agent is part of a cache management module of an operating system.
  - 12. The system of claim 8, further comprising a component configured to, after storing the agent in cache memory, calculate a hash value of the agent and comparing to the calculated hash value to a previous hash value to determine whether the agent has been modified.
  - 13. The system of claim 8, further comprising a trusted platform module component configured to load the agent into the processor and store the agent into the cache memory before execution of other software.
  - 14. The system of claim 8, further comprising:
    - prior to loading the agent into the processor, calculating and storing a first hash value of the agent; and
      
      after storing the agent into cache memory,calculating a second hash value of the agent stored in the cache memory; and
      
      comparing the second hash value with the first hash value to determine whether the agent has been modified.
  - 15. The system of claim 8, further comprising:
    - storing a data pattern in a cache-backing memory region; and
      
      inspecting contents of the cache-backing memory region to determine a change in the data pattern, said change in the data pattern being indicative of eviction of at least a part of the contents in the cache-backing memory region.
  - 16. The system of claim 8, wherein the encrypted content includes an instruction for execution by the core.

17. A computer-readable medium that is not a transitory, propagating signal storing instructions of a computer for securing content, the computer having a processor and a main memory, the processor having a core with cache memory, the instructions for execution by the core, the instructions comprising:
- instructions of an agent that intercept a transmission of encrypted content from the main memory to the cache memory as a result of software accessing the encrypted content, decrypt the encrypted content that is stored in the cache memory, and store the decrypted content into the cache memory so that the software can access the decrypted content; and
  
  instructions of the agent that, prior to the decrypted content being transmitted from the cache memory to the main memory, encrypts the decrypted content as newly encrypted content wherein the newly encrypted content, rather the decrypted content, is transmitted to main memory.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium of claim 17, wherein the instructions further comprise instructions that store the instructions of the agent into the cache memory so that the agent is resident in the cache memory.
  - 19. The computer-readable medium of claim 17, wherein the agent the instructions that intercept detect that the software has executed an instruction to cause the encrypted content to be transmitted from main memory to the cache memory based on a page fault resulting from the software accessing a page that contains the encrypted content.
  - 20. The computer-readable medium of claim 17, wherein the software agent is part of a cache management module of an operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Inventors
Horovitz, Oded, Weis, Stephen A., Waldspurger, Carl A., Rihan, Sahil
Primary Examiner(s)
Smithers, Matthew

Application Number

US14/820,428
Publication Number

US 20160224475A1
Time in Patent Office

635 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0802   Addressing of a memory leve...

G06F 12/0833   in combination with broadca...

G06F 12/0888   using selective caching, e....

G06F 12/12   Replacement control

G06F 12/128   adapted to multidimensional...

G06F 12/1408   by using cryptography for d...

G06F 21/57   Certifying or maintaining t...

G06F 2212/1052   Security improvement

G06F 2212/621   Coherency control relating ...

Software cryptoprocessor

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Software cryptoprocessor

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others