Processor operable to ensure code integrity
First Claim
Patent Images
1. A processor comprising:
- execution logic configured for executing one or more instructions of an instruction set architecture that executes in-line wherein the one or more instructions have an instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target; and
code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response, wherein the code integrity logic includes at leastcode integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one metadata indexed by an Instruction Pointer (IP) that indicates execution of the one or more instructions wherein the at least one metadata includes one or more bits per instruction pointer, the tagging specifying whether the next instruction following the branch is a legitimate branch target; and
enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions that control at least one selectable operating mode that enables or disables legitimate branch target enforcement, wherein the at least one selectable operating mode includes at least (1) permitting only local branches to the next instruction following the branch, (2) permitting only local branches to the next instruction following the branch wherein locality is specified as an instruction pointer (IP)-relative branch within a predetermined offset, (3) permitting indirect branches to the next instruction following the branch, (4) prohibiting indirect branches to the next instruction following the branch, and (5) permitting only indirect branches to the next instruction following the branch, wherein a metadata structure accessible to the processor includes at least one list of permitted indirect branch instructions.
7 Assignments
0 Petitions
Accused Products
Abstract
A processor can be used to ensure that program code can only be used for a designed purpose and not exploited by malware. Embodiments of an illustrative processor can comprise logic operable to execute a program instruction and to distinguish whether the program instruction is a legitimate branch instruction or a non-legitimate branch instruction.
219 Citations
29 Claims
-
1. A processor comprising:
-
execution logic configured for executing one or more instructions of an instruction set architecture that executes in-line wherein the one or more instructions have an instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target; and code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response, wherein the code integrity logic includes at least code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one metadata indexed by an Instruction Pointer (IP) that indicates execution of the one or more instructions wherein the at least one metadata includes one or more bits per instruction pointer, the tagging specifying whether the next instruction following the branch is a legitimate branch target; and enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions that control at least one selectable operating mode that enables or disables legitimate branch target enforcement, wherein the at least one selectable operating mode includes at least (1) permitting only local branches to the next instruction following the branch, (2) permitting only local branches to the next instruction following the branch wherein locality is specified as an instruction pointer (IP)-relative branch within a predetermined offset, (3) permitting indirect branches to the next instruction following the branch, (4) prohibiting indirect branches to the next instruction following the branch, and (5) permitting only indirect branches to the next instruction following the branch, wherein a metadata structure accessible to the processor includes at least one list of permitted indirect branch instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A processor comprising:
-
execution logic configured for executing one or more instructions of an instruction set architecture that executes in-line wherein the one or more instructions have an instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target; code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, wherein the code integrity logic includes at least code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one metadata indexed by an Instruction Pointer (IP) that indicates execution of the one or more instructions wherein the at least one metadata includes one or more bits per instruction pointer, the tagging specifying whether the next instruction following the branch is a legitimate branch target; and enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions that control at least one selectable operating mode that enables or disables legitimate branch target enforcement, wherein the at least one selectable operating mode includes at least (1) permitting only local branches to the next instruction following the branch, (2) permitting only local branches to the next instruction following the branch wherein locality is specified as an instruction pointer (IP)-relative branch within a predetermined offset, (3) permitting indirect branches to the next instruction following the branch, (4) prohibiting indirect branches to the next instruction following the branch, and (5) permitting only indirect branches to the next instruction following the branch, wherein a metadata structure accessible to the processor includes at least one list of permitted indirect branch instructions; and response logic configured for responding when the next instruction following the branch is not a legitimate branch target based at least partly on the instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target, initiating at least one enforcement response. - View Dependent Claims (23, 24, 25, 26, 27)
-
-
28. A processor comprising:
-
a plurality of execution cores including at least a first core and a second core; execution logic configured for executing one or more instructions of an instruction set architecture that executes in-line wherein the one or more instructions have an instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target, the first core configured for running a main program including at least one executing instruction of the one or more instructions in the instruction set, wherein the execution logic includes at least code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one metadata indexed by an Instruction Pointer (IP) that indicates execution of the one or more instructions wherein the at least one metadata includes one or more bits per instruction pointer, the tagging specifying whether the next instruction following the branch is a legitimate branch target; and enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions that control at least one selectable operating mode that enables or disables legitimate branch target enforcement, wherein the at least one selectable operating mode includes at least (1) permitting only local branches to the next instruction following the branch, (2) permitting only local branches to the next instruction following the branch wherein locality is specified as an instruction pointer (IP)-relative branch within a predetermined offset, (3) permitting indirect branches to the next instruction following the branch, (4) prohibiting indirect branches to the next instruction following the branch, and (5) permitting only indirect branches to the next instruction following the branch, wherein a metadata structure accessible to the processor includes at least one list of permitted indirect branch instructions; and a monitoring program configured for running on the second core and configured for determining code integrity, out-of-line from execution of the main program, including at least detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response.
-
-
29. A processor comprising:
-
an instruction decoder configured for decoding one or more instructions in an instruction set of an instruction set architecture that defines the instruction set by instructions that execute in-line wherein the one or more instructions have an instruction encoding that specifies at least one opcode bit defining whether an instruction is a legitimate branch target; execution logic configured for executing the decoded one or more instructions in the instruction set configured for execution on the processor; and code integrity logic configured for detecting a branch in program execution, determining whether a next instruction following a branch is a legitimate branch target according to the at least one opcode bit defining whether the instruction is a legitimate branch target, and if the next instruction following the branch is not a legitimate branch target, initiating at least one enforcement response, wherein the code integrity logic includes at least code integrity logic configured for determining whether a next instruction following a branch is a legitimate branch target based at least partially on tagging including at least one metadata indexed by an Instruction Pointer (IP) that indicates execution of the one or more instructions wherein the at least one metadata includes one or more bits per instruction pointer, the tagging specifying whether the next instruction following the branch is a legitimate branch target; and enforcement logic configured for controlling legitimate branch target enforcement and configured for recognizing and executing one or more instructions that control at least one selectable operating mode that enables or disables legitimate branch target enforcement, wherein the at least one selectable operating mode includes at least (1) permitting only local branches to the next instruction following the branch, (2) permitting only local branches to the next instruction following the branch wherein locality is specified as an instruction pointer (IP)-relative branch within a predetermined offset, (3) permitting indirect branches to the next instruction following the branch, (4) prohibiting indirect branches to the next instruction following the branch, and (5) permitting only indirect branches to the next instruction following the branch, wherein a metadata structure accessible to the processor includes at least one list of permitted indirect branch instructions.
-
Specification