Secure memory controller
First Claim
1. A method performed by a memory controller implemented as part of a coherent memory architecture employing multiple levels of caches, comprising:
- controlling access to system memory, the accesses including memory writes and memory reads;
monitoring patterns of accesses to the system memory, including monitoring bursts of writes to the system memory, the bursts of writes corresponding to function calls from an execution thread written to sequential address;
detecting that a new stack frame corresponding to a called function is added to a stack for the execution thread, the new stack frame beginning with a frame pointer;
updating a current frame-pointer for the stack to the frame-pointer for the new stack frame;
detecting a return address for a function call in the system memory; and
preventing the return address from being overwritten unless the memory controller determines overwriting the return address is safe.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparatus for a secure memory controller. The secure memory controller includes circuitry and logic that is programmed to prevent malicious code from overwrite protected regions of system memory. The memory controller observes memory access patterns and trains itself to identify thread stacks and addresses relating to the thread stacks including stack-frame pointers and return addresses. In one aspect, the memory controller prevents a return address from being overwritten until a proper return from a function call is detected. The memory controller is also configured to prevent malicious code from overwriting page table entries (PTEs) in page tables. Pages containing PTEs are identified, and access is prevented to the PTEs from user-mode code. The PTEs are also scanned to detect corrupted PTEs resulting from bit manipulation by malicious code.
-
Citations
23 Claims
-
1. A method performed by a memory controller implemented as part of a coherent memory architecture employing multiple levels of caches, comprising:
-
controlling access to system memory, the accesses including memory writes and memory reads; monitoring patterns of accesses to the system memory, including monitoring bursts of writes to the system memory, the bursts of writes corresponding to function calls from an execution thread written to sequential address;
detecting that a new stack frame corresponding to a called function is added to a stack for the execution thread, the new stack frame beginning with a frame pointer;
updating a current frame-pointer for the stack to the frame-pointer for the new stack frame;detecting a return address for a function call in the system memory; and preventing the return address from being overwritten unless the memory controller determines overwriting the return address is safe. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An apparatus, configured to interface with system memory when installed in a computer system including system memory and multiple levels of caches implemented as a coherent memory architecture, comprising:
a memory controller including circuitry and logic configured to, receive memory access requests comprising write and read accesses for writing to and reading from the system memory, each write and read access including an address in an address space for the system memory; monitor patterns of accesses to the system memory; identify, via observation of access patterns to the system memory, regions of memory to protect write access from malicious code; detect, based on observed memory access patterns, a memory write access request to a region of memory to be protected from malicious code; and detect whether the memory write access request is from malicious code, monitor bursts of writes to the system memory, the bursts of writes written to sequential addresses and corresponding to function calls from an execution thread executing on a processor core in the computer system;
detect that a new stack from corresponding to a called function is added to a stack maintained in system memory for the execution thread, the new stack frame beginning with a frame-pointer;
store a local current frame-pointer for the stack in the local memory or a register;
update the local current frame pointer for the new stack from; and
if it is, deny the write access request,otherwise, allow the write access request to proceed. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
21. A system comprising:
-
system memory having an address space; a processor including, a plurality of processor cores, each including a local level 1 (L1) and level 2 (L2) cache and coupled to an interconnect; a last level cache, coupled to the interconnect; a memory controller, operatively coupled to the last level cache and including an interface coupled to system memory, including circuitry and logic configured to, receive memory access requests comprising write and read accesses for writing to and reading from the system memory, each write and read access including an address in the system memory;
monitor patterns of access to the system memory;
identify, via observation of access patterns to the system memory, regions of memory to protect write access from malicious code;
monitor bursts of writes to the system memory, the bursts of writes written to sequential addresses and corresponding to function calls from an execution thread executing on a processor core in the computer system;
detect that a new stack from corresponding to a called function is added to a stack maintained in system memory for the execution thread, the new stack frame beginning with a frame-pointer;
identify a location in the stack containing a return address for the called function;monitor patterns of accesses to the system memory; identify, via observation of access patterns to the system memory, regions of memory to protect write access from malicious code; detect, a memory write access request to the location in the stack containing the return address; and detect whether the memory write access request is from malicious code, and if it is, deny the write access request, otherwise, allow the write access request to proceed. - View Dependent Claims (22, 23)
-
Specification