Processor operable to ensure code integrity

US 9,798,873 B2
Filed: 08/04/2011
Issued: 10/24/2017
Est. Priority Date: 08/04/2011
Status: Active Grant

First Claim

Patent Images

1. A processor comprising:

execution logic configured for executing one or more instructions of an instruction set architecture that executes in-line wherein the one or more instructions have an instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target; and

code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response, wherein the code integrity logic includes at leastcode integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one metadata indexed by an Instruction Pointer (IP) that indicates execution of the one or more instructions wherein the at least one metadata includes one or more bits per instruction pointer, the tagging specifying whether the next instruction following the branch is a legitimate branch target; and

enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions that control at least one selectable operating mode that enables or disables legitimate branch target enforcement, wherein the at least one selectable operating mode includes at least (1) permitting only local branches to the next instruction following the branch, (2) permitting only local branches to the next instruction following the branch wherein locality is specified as an instruction pointer (IP)-relative branch within a predetermined offset, (3) permitting indirect branches to the next instruction following the branch, (4) prohibiting indirect branches to the next instruction following the branch, and (5) permitting only indirect branches to the next instruction following the branch, wherein a metadata structure accessible to the processor includes at least one list of permitted indirect branch instructions.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processor can be used to ensure that program code can only be used for a designed purpose and not exploited by malware. Embodiments of an illustrative processor can comprise logic operable to execute a program instruction and to distinguish whether the program instruction is a legitimate branch instruction or a non-legitimate branch instruction.

219 Citations

29 Claims

1. A processor comprising:
- execution logic configured for executing one or more instructions of an instruction set architecture that executes in-line wherein the one or more instructions have an instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target; and
  
  code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response, wherein the code integrity logic includes at leastcode integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one metadata indexed by an Instruction Pointer (IP) that indicates execution of the one or more instructions wherein the at least one metadata includes one or more bits per instruction pointer, the tagging specifying whether the next instruction following the branch is a legitimate branch target; and
  
  enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions that control at least one selectable operating mode that enables or disables legitimate branch target enforcement, wherein the at least one selectable operating mode includes at least (1) permitting only local branches to the next instruction following the branch, (2) permitting only local branches to the next instruction following the branch wherein locality is specified as an instruction pointer (IP)-relative branch within a predetermined offset, (3) permitting indirect branches to the next instruction following the branch, (4) prohibiting indirect branches to the next instruction following the branch, and (5) permitting only indirect branches to the next instruction following the branch, wherein a metadata structure accessible to the processor includes at least one list of permitted indirect branch instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one bit in the one or more instructions that specifies whether the next instruction following the branch is a legitimate branch target.
  - 3. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least a predetermined special instruction or inclusion in a predetermined special class of instructions designated a legitimate branch target instruction that specifies whether the next instruction following the branch is a legitimate branch target.
  - 4. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least an operation code specifying a No Operation (NOP) instruction of a legacy instruction set that specifies whether the next instruction following the branch is a legitimate branch target.
  - 5. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least a metadata structure indexed by an Instruction Pointer (IP) that indicates execution of the legitimate branch target, the tagging specifying whether the next instruction following the branch is a legitimate branch target.
  - 6. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one or more single-bit legitimate branch target metadata designating that the one or more instructions is permitted to be a branch target, the tagging specifying whether the next instruction following the branch is a legitimate branch target.
  - 7. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including one or more metadata structures including at least one list of Instruction Pointers (IPs) that indicate execution of the one or more instructions and are indicative of Instruction Pointers (IPs) allowed to branch to a predetermined location, the at least one list including at least one of branch-from Instruction Pointers (IPs) or classes of Instruction Pointers (IPs), the tagging specifying whether the next instruction following the branch is a legitimate branch target.
  - 8. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least in-band metadata including at least one bit in an instruction operation code (opcode), the tagging specifying whether the next instruction following the branch is a legitimate branch target.
  - 9. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least in-band memory metadata including identification of specific legitimate branch target instructions, the tagging specifying whether the next instruction following the branch is a legitimate branch target.
  - 10. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least out-of-band memory metadata including identification of at least one of instruction tags or branch-froms, the tagging specifying whether the next instruction following the branch is a legitimate branch target.
  - 11. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response further comprises:
    - response logic configured for initiating at least one enforcement response including at least one of a trap or an exception for a branch made to an executing instruction that is not a legitimate branch target.
  - 12. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response further comprises:
    - enforcement logic configured for initiating at least one enforcement response according to at least one selectable operating mode including at least one of a trap or an exception if enabled by the selectable operating mode.
  - 13. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response further comprises:
    - enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions that control an operating mode that enables or disables legitimate branch target enforcement by setting a bit in a control register.
  - 14. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response further comprises:
    - enforcement logic configured for controlling legitimate branch target enforcement and configured for enabling checking whether the next instruction following the branch is a legitimate branch target within predetermined functions proximal to an entry point for a function call, and configured for disabling checking on return from the function.
  - 15. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response further comprises:
    - enforcement logic configured for controlling legitimate branch target enforcement and configured for implicitly indicating a position designated by an instruction pointer where checking of whether the next instruction following the branch is a legitimate branch target is performed via out-of-band memory metadata.
  - 16. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - enforcement logic configured for controlling legitimate branch target enforcement and configured for determining whether the next instruction following the branch is a legitimate branch target out-of-line via a thread separate from a thread executing the legitimate branch target.
  - 17. The processor according to claim 1 further comprising:
    - a plurality of execution cores including at least a first core configured to run a main program including the next instruction following the branch and a second core; and
      
      a monitoring program configured for running on the second core and configured for distinguishing whether the next instruction following the branch is a legitimate branch target out-of-line from execution of the main program.
  - 18. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a detected branch is branching to a legitimate instruction boundary.
  - 19. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a detected branch is branching to a legitimate instruction boundary based at least partially on one or more bits in the target instruction indicating a legitimate instruction boundary.
  - 20. The processor according to claim 1 wherein the code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response comprises:
    - code integrity logic configured for determining whether a detected branch is branching to a legitimate instruction boundary based at least partially on one or more in-line multiple-instruction templates indicating which instruction block (i-block) chunks within an i-block are legitimate instruction beginning points.
  - 21. The processor according to claim 1 wherein the next instruction following the branch includes:
    - at least one of a next instruction in an execution stream or an instruction targeted by at least one of a branch, a conditional branch, an unconditional branch, a direct branch, an indirect branch, a goto, a jump, an indirect jump, a call, a direct call, an indirect call, a return, a return from interrupt, or a return from exception.

22. A processor comprising:
- execution logic configured for executing one or more instructions of an instruction set architecture that executes in-line wherein the one or more instructions have an instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target;
  
  code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, wherein the code integrity logic includes at leastcode integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one metadata indexed by an Instruction Pointer (IP) that indicates execution of the one or more instructions wherein the at least one metadata includes one or more bits per instruction pointer, the tagging specifying whether the next instruction following the branch is a legitimate branch target; and
  
  enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions that control at least one selectable operating mode that enables or disables legitimate branch target enforcement, wherein the at least one selectable operating mode includes at least (1) permitting only local branches to the next instruction following the branch, (2) permitting only local branches to the next instruction following the branch wherein locality is specified as an instruction pointer (IP)-relative branch within a predetermined offset, (3) permitting indirect branches to the next instruction following the branch, (4) prohibiting indirect branches to the next instruction following the branch, and (5) permitting only indirect branches to the next instruction following the branch, wherein a metadata structure accessible to the processor includes at least one list of permitted indirect branch instructions; and
  
  response logic configured for responding when the next instruction following the branch is not a legitimate branch target based at least partly on the instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target, initiating at least one enforcement response.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The processor according to claim 22, wherein the response logic configured for responding when the next instruction following the branch is not a legitimate branch target based at least partly on the instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target, initiating at least one enforcement response further includes:
    - enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions specified in the instruction set configured for machine execution on the processor and control at least one operating mode that enables or disables legitimate branch target enforcement.
  - 24. The processor according to claim 22, wherein the response logic configured for responding when the next instruction following the branch is not a legitimate branch target based at least partly on the instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target, initiating at least one enforcement response further includes:
    - enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions specified in the instruction set configured for machine execution on the processor and control at least one operating mode that enables or disables legitimate branch target enforcement by setting a bit in a control register.
  - 25. The processor according to claim 22, wherein the response logic configured for responding when the next instruction following the branch is not a legitimate branch target based at least partly on the instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target, initiating at least one enforcement response further includes:
    - enforcement logic configured for controlling legitimate branch target enforcement and configured for enabling checking whether the next instruction following the branch is a legitimate branch target within predetermined functions proximal to an entry point for a function call, and configured for disabling checking on return from the function call.
  - 26. The processor according to claim 22, wherein the response logic configured for responding when the next instruction following the branch is not a legitimate branch target based at least partly on the instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target, initiating at least one enforcement response further includes:
    - enforcement logic including out-of-band metadata configured for controlling legitimate branch target enforcement and configured for implicitly indicating a position designated by an instruction pointer where checking of whether the next instruction following the branch is a legitimate branch target.
  - 27. The processor according to claim 22, wherein the response logic configured for responding when the next instruction following the branch is not a legitimate branch target based at least partly on the instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target, initiating at least one enforcement response further includes:
    - enforcement logic configured for controlling legitimate branch target enforcement and configured for determining whether the next instruction following the branch is a legitimate branch target out-of-line via a thread separate from a thread executing the next instruction following the branch.

28. A processor comprising:
- a plurality of execution cores including at least a first core and a second core;
  
  execution logic configured for executing one or more instructions of an instruction set architecture that executes in-line wherein the one or more instructions have an instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target, the first core configured for running a main program including at least one executing instruction of the one or more instructions in the instruction set, wherein the execution logic includes at leastcode integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one metadata indexed by an Instruction Pointer (IP) that indicates execution of the one or more instructions wherein the at least one metadata includes one or more bits per instruction pointer, the tagging specifying whether the next instruction following the branch is a legitimate branch target; and
  
  enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions that control at least one selectable operating mode that enables or disables legitimate branch target enforcement, wherein the at least one selectable operating mode includes at least (1) permitting only local branches to the next instruction following the branch, (2) permitting only local branches to the next instruction following the branch wherein locality is specified as an instruction pointer (IP)-relative branch within a predetermined offset, (3) permitting indirect branches to the next instruction following the branch, (4) prohibiting indirect branches to the next instruction following the branch, and (5) permitting only indirect branches to the next instruction following the branch, wherein a metadata structure accessible to the processor includes at least one list of permitted indirect branch instructions; and
  
  a monitoring program configured for running on the second core and configured for determining code integrity, out-of-line from execution of the main program, including at least detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response.

29. A processor comprising:
- an instruction decoder configured for decoding one or more instructions in an instruction set of an instruction set architecture that defines the instruction set by instructions that execute in-line wherein the one or more instructions have an instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target;
  
  execution logic configured for executing the decoded one or more instructions in the instruction set configured for execution on the processor; and
  
  code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response, wherein the code integrity logic includes at leastcode integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one metadata indexed by an Instruction Pointer (IP) that indicates execution of the one or more instructions wherein the at least one metadata includes one or more bits per instruction pointer, the tagging specifying whether the next instruction following the branch is a legitimate branch target; and
  
  enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions that control at least one selectable operating mode that enables or disables legitimate branch target enforcement, wherein the at least one selectable operating mode includes at least (1) permitting only local branches to the next instruction following the branch, (2) permitting only local branches to the next instruction following the branch wherein locality is specified as an instruction pointer (IP)-relative branch within a predetermined offset, (3) permitting indirect branches to the next instruction following the branch, (4) prohibiting indirect branches to the next instruction following the branch, and (5) permitting only indirect branches to the next instruction following the branch, wherein a metadata structure accessible to the processor includes at least one list of permitted indirect branch instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Elwha LLC (Intellectual Ventures LLC)
Inventors
Glew, Andrew F., Gerrity, Daniel A., Tegreene, Clarence T.
Primary Examiner(s)
Edwards, Linglan

Application Number

US13/136,670
Publication Number

US 20130036464A1
Time in Patent Office

2,273 Days
Field of Search

726 22- 24
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/52   during program execution, e...

G06F 21/71   to assure secure computing ...

G06F 9/30061   Multi-way branch instructio...

G06F 9/30149   of variable length instruct...

G06F 9/30185   according to one or more bi...

G06F 9/32   Address formation of the ne...

G06F 9/322   for non-sequential address

G06F 9/3802   Instruction prefetching

Processor operable to ensure code integrity

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

219 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Processor operable to ensure code integrity

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

219 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links