Secure memory controller

US 9,904,485 B2
Filed: 03/31/2016
Issued: 02/27/2018
Est. Priority Date: 03/31/2016
Status: Expired due to Fees

First Claim

Patent Images

1. A method performed by a memory controller implemented as part of a coherent memory architecture employing multiple levels of caches, comprising:

controlling access to system memory, the accesses including memory writes and memory reads;

monitoring patterns of accesses to the system memory, including monitoring bursts of writes to the system memory, the bursts of writes corresponding to function calls from an execution thread written to sequential address;

detecting that a new stack frame corresponding to a called function is added to a stack for the execution thread, the new stack frame beginning with a frame pointer;

updating a current frame-pointer for the stack to the frame-pointer for the new stack frame;

detecting a return address for a function call in the system memory; and

preventing the return address from being overwritten unless the memory controller determines overwriting the return address is safe.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for a secure memory controller. The secure memory controller includes circuitry and logic that is programmed to prevent malicious code from overwrite protected regions of system memory. The memory controller observes memory access patterns and trains itself to identify thread stacks and addresses relating to the thread stacks including stack-frame pointers and return addresses. In one aspect, the memory controller prevents a return address from being overwritten until a proper return from a function call is detected. The memory controller is also configured to prevent malicious code from overwriting page table entries (PTEs) in page tables. Pages containing PTEs are identified, and access is prevented to the PTEs from user-mode code. The PTEs are also scanned to detect corrupted PTEs resulting from bit manipulation by malicious code.

Citations

23 Claims

1. A method performed by a memory controller implemented as part of a coherent memory architecture employing multiple levels of caches, comprising:
- controlling access to system memory, the accesses including memory writes and memory reads;
  
  monitoring patterns of accesses to the system memory, including monitoring bursts of writes to the system memory, the bursts of writes corresponding to function calls from an execution thread written to sequential address;
  
  detecting that a new stack frame corresponding to a called function is added to a stack for the execution thread, the new stack frame beginning with a frame pointer;
  
  updating a current frame-pointer for the stack to the frame-pointer for the new stack frame;
  
  detecting a return address for a function call in the system memory; and
  
  preventing the return address from being overwritten unless the memory controller determines overwriting the return address is safe.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising operations performed by the memory controller including:
    - implementing a linked list of frame-pointers, the linked list including a first frame-pointer; and
      
      when a new stack frame is detected to be added to the stack, appending a frame pointer for the new stack frame to the end of the linked list,wherein each frame-pointer except the first frame-pointer is a previous frame-pointer that points to the frame pointer preceding it in the linked list.
  - 3. The method of claim 2, further comprising operations performed by the memory controller including:
    - detecting that a stack frame has been popped off of the stack for the execution thread;
      
      removing the frame-pointer corresponding to the stack frame that is detected to have been popped off of the stack from the end of the linked list; and
      
      setting the frame-pointer that is now at the end of the linked list as the current frame-pointer.
  - 4. The method of claim 1, further comprising operations performed by the memory controller including:
    - identifying a location in the stack containing a return address for a called function; and
      
      preventing the location from being overwritten until the called function has properly returned to the return address.
  - 5. The method of claim 4, wherein the location in the stack containing the return address for the called function is a memory location having an address in the system memory, further comprising operations performed by the memory controller including:
    - blocking the memory location from being overwritten;
      
      observing a pattern comprising a burst of reads to the system memory;
      
      detecting that an address for one of the reads in the burst of reads is the address for the memory location; and
      
      unblocking the memory location to allow the memory location to be overwritten.
  - 6. The method of claim 4, wherein the location in the stack containing the return address for the called function is a memory location having an address in the system memory, further comprising operations performed by the memory controller including:
    - blocking the memory location from being overwritten;
      
      detecting, while the memory location is blocked, a write access having an address for the memory location;
      
      determining the write access is unsafe; and
      
      asserting an error to cause execution of the thread to halt.
  - 7. The method of claim 1, wherein each memory write includes an address and data further comprising operations performed by the memory controller including:
    - storing a current frame-pointer for the stack, the current frame pointer having a data value that points to the location in a system memory physical address space of a current stack frame for the stack;
      
      for each write in a burst of writes,comparing the data in the write with the data value for the current frame-pointer; and
      
      if the data matches the data value for the current frame-pointer, identifying the memory write as the frame-pointer for a new stack frame.
  - 8. The method of claim 1, further comprising operations performed by the memory controller that prevent malicious code from overwriting page table entries in the system memory.
  - 9. The method of claim 1, wherein the memory controller is integrated in a processor including a user-mode of execution and a privileged-mode of execution, each execution thread being executed by the processor being executed in one of the user-mode and privileged mode, the method further comprising operations performed by the memory controller including:
    - permitting page table entries to be written to the system memory via threads executing in privileged mode; and
      
      preventing page table entries from being written to the system memory via threads executing in the user-mode.
  - 10. The method of claim 1, further comprising operations performed by the memory controller including:
    - scanning memory pages in the system memory to identify if a memory page contains a page table structure;
      
      for a memory page containing a page table structure including a plurality of page table entries; and
      
      checking bit fields in the page table entries to determine whether a page table entry has been corrupted.
  - 11. The method of claim 10, further comprising operations performed by the memory controller including:
    - detecting that a memory write will result in a change to a page table entry (PTE) mapping;
      
      determining if a new page corresponding to the PTE mapping is legitimate; and
      
      if the new page is determined to be legitimate, allowing the change to the PTE to proceed, otherwise preventing the change to the PTE.

12. An apparatus, configured to interface with system memory when installed in a computer system including system memory and multiple levels of caches implemented as a coherent memory architecture, comprising:
- a memory controller including circuitry and logic configured to,receive memory access requests comprising write and read accesses for writing to and reading from the system memory, each write and read access including an address in an address space for the system memory;
  
  monitor patterns of accesses to the system memory;
  
  identify, via observation of access patterns to the system memory, regions of memory to protect write access from malicious code;
  
  detect, based on observed memory access patterns, a memory write access request to a region of memory to be protected from malicious code; and
  
  detect whether the memory write access request is from malicious code, monitor bursts of writes to the system memory, the bursts of writes written to sequential addresses and corresponding to function calls from an execution thread executing on a processor core in the computer system;
  
  detect that a new stack from corresponding to a called function is added to a stack maintained in system memory for the execution thread, the new stack frame beginning with a frame-pointer;
  
  store a local current frame-pointer for the stack in the local memory or a register;
  
  update the local current frame pointer for the new stack from; and
  
  if it is, deny the write access request,otherwise, allow the write access request to proceed.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The apparatus of claim 12, wherein the circuitry and logic in the memory controller is further configured to:
    - implement a linked list of frame-pointers in the local memory, the linked list including a first frame-pointer; and
      
      when a new stack frame is detected to be pushed on the stack, append a frame-pointer for the new stack frame to the end of the linked list,wherein each frame-pointer in the linked list except the first frame-pointer is a previous frame-pointer that points to the frame pointer preceding it in the linked list.
  - 14. The apparatus of claim 13, wherein the circuitry and logic in the memory controller is further configured to:
    - detect that a stack frame has been popped off of the stack for the execution thread;
      
      remove the frame-pointer corresponding to the stack frame that is detected to have been popped off of the stack from the end of the linked list; and
      
      update the local current frame-pointer to the frame-pointer that is now at the end of the linked list.
  - 15. The apparatus of claim 12, wherein the circuitry and logic in the memory controller is further configured to:
    - identify a location in the stack containing a return address for the called function; and
      
      prevent data in system memory at an address corresponding to the location from being overwritten until execution of the called function has properly returned to the return address.
  - 16. The apparatus of claim 15, wherein the location in the stack containing the return address for the called function is a memory location having an address in the system memory, and wherein the circuitry and logic in the memory controller is further configured to:
    - block the memory location from being overwritten;
      
      observe an access pattern comprising a burst of reads to the system memory;
      
      detect that an address for one of the reads in the burst of reads is the address for the memory location; and
      
      unblock the memory location to allow the memory location to be overwritten.
  - 17. The apparatus of claim 15, wherein the location in the stack containing the return address for the called function is a memory location having an address in the system memory, and wherein the circuitry and logic in the memory controller is further configured to:
    - block the memory location from being overwritten;
      
      detect, while the memory location is blocked, a write access having an address for the memory location;
      
      determine the write access is from malicious code; and
      
      assert an error.
  - 18. The apparatus of claim 12, wherein during operation of the computer system an operating system accesses and modifies a memory page table containing a plurality of page table entries and the circuitry and logic in the memory controller is further configured, exclusive of any input from the operating system, to prevent malicious code from overwriting page table entries.
  - 19. The apparatus of claim 18, wherein the memory controller is integrated in a processor including a user-mode of execution and a privileged-mode of execution, each execution thread being executed by the processor being executed in one of the user-mode and privileged mode, and wherein the circuitry and logic in the memory controller is further configured to:
    - permit page table entries to be written to the system memory via threads executing in privileged mode; and
      
      preventing page table entries from being written to the system memory via threads executing in the user-mode.
  - 20. The apparatus of claim 12, wherein the memory controller includes at least one of local memory and a plurality of registers and the circuitry and logic in the memory controller is further configured to:
    - scan memory pages in the system memory to identify if a memory page contains a page table structure; and
      
      for a memory page containing a page table structure including a plurality of page table entries,checking bit fields in the page table entries to determine whether a page table entry has been corrupted.

21. A system comprising:
- system memory having an address space;
  
  a processor including,a plurality of processor cores, each including a local level 1 (L1) and level 2 (L2) cache and coupled to an interconnect;
  
  a last level cache, coupled to the interconnect;
  
  a memory controller, operatively coupled to the last level cache and including an interface coupled to system memory, including circuitry and logic configured to,receive memory access requests comprising write and read accesses for writing to and reading from the system memory, each write and read access including an address in the system memory;
  
  monitor patterns of access to the system memory;
  
  identify, via observation of access patterns to the system memory, regions of memory to protect write access from malicious code;
  
  monitor bursts of writes to the system memory, the bursts of writes written to sequential addresses and corresponding to function calls from an execution thread executing on a processor core in the computer system;
  
  detect that a new stack from corresponding to a called function is added to a stack maintained in system memory for the execution thread, the new stack frame beginning with a frame-pointer;
  
  identify a location in the stack containing a return address for the called function;
  
  monitor patterns of accesses to the system memory;
  
  identify, via observation of access patterns to the system memory, regions of memory to protect write access from malicious code;
  
  detect, a memory write access request to the location in the stack containing the return address; and
  
  detect whether the memory write access request is from malicious code, and if it is, deny the write access request,otherwise, allow the write access request to proceed.
- View Dependent Claims (22, 23)
- - 22. The system of claim 21, wherein the memory controller includes at least one of local memory and a plurality of registers and the circuitry and logic in the memory controller is further configured toprevent data in system memory at an address corresponding to the location from being overwritten until execution of the called function has properly returned to the return address, wherein proper return of the of the called function is detected by observing a burst of reads corresponding to the new stack frame being pushed off of the stack.
  - 23. The system of claim 21, wherein during operation of the system an operating system accesses and modifies a memory page table containing a plurality of page table entries and the circuitry and logic in the memory controller is further configured, exclusive of any input from the operating system, to prevent malicious code from overwriting page table entries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Gopal, Vinodh
Primary Examiner(s)
Chappell, Daniel C

Application Number

US15/086,523
Publication Number

US 20170285986A1
Time in Patent Office

698 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0897   with two or more cache hier...

G06F 12/1425   the protection being physic...

G06F 21/78   to assure secure storage of...

G06F 2212/1052   Security improvement

G06F 2212/451   Stack data

Secure memory controller

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Secure memory controller

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links