Interested in licensing this patent?
MTEC can help explore whether this patent might be available for licensing for your application.
Assignees
Charles Stark Draper Laboratory Inc
Member
DraperDraper is an independent nonprofit engineering innovation company with a legacy spanning over 90 years, dedicated to delivering transformative solutions for national security, prosperity, and global challenges. Renowned for its pioneering work in guidance, navigation, and control (GN&C) systems, Draper partners with government, industry, and academia to engineer advanced technologies in space, defense, biotechnology, and electronic systems. The company leverages multidisciplinary expertise, digital engineering, and a collaborative approach to provide field-ready prototypes, mission-critical systems, and innovative research. Draper’s mission is to ensure the nation's security and prosperity by delivering sustainable, cutting-edge solutions that address the toughest problems of today and tomorrow, while fostering an inclusive and diverse workforce. Draper also invests in the next generation of innovators through robust educational programs, including internships, co-ops, and the Draper Scholars Program, integrating academic research with real-world problem-solving.
Draper is an independent nonprofit engineering innovation company with a legacy spanning over 90 years, dedicated to delivering transformative solutions for national security, prosperity, and global challenges. Renowned for its pioneering work in guidance, navigation, and control (GN&C) systems, Draper partners with government, industry, and academia to engineer advanced technologies in space, defense, biotechnology, and electronic systems. The company leverages multidisciplinary expertise, digital engineering, and a collaborative approach to provide field-ready prototypes, mission-critical systems, and innovative research. Draper’s mission is to ensure the nation's security and prosperity by delivering sustainable, cutting-edge solutions that address the toughest problems of today and tomorrow, while fostering an inclusive and diverse workforce. Draper also invests in the next generation of innovators through robust educational programs, including internships, co-ops, and the Draper Scholars Program, integrating academic research with real-world problem-solving.
Publication Number
US-11782714-B2
Publication Date
2023-10-10
Expiration Date
Abstract
A method comprises receiving a current instruction for metadata processing performed in a metadata processing domain that is isolated from a code execution domain including the current instruction. The method further comprises determining, by the metadata processing domain in connection with metadata for the current instruction, whether to allow execution of the current instruction in accordance with a set of one or more policies. The one or more policies may include a set of rules that enforces execution of a complete sequence of instructions in a specified order from a first instruction of the complete sequence to a last instruction of the complete sequence. The metadata processing may be implemented by a metadata processing hierarchy comprising a control module, a masking module, a hash module, a rule cache lookup module, and/or an output tag module.
Core Innovation
A method comprises receiving a current instruction for metadata processing performed in a metadata processing domain that is isolated from a code execution domain including the current instruction. The method further comprises determining, by the metadata processing domain in connection with metadata for the current instruction, whether to allow execution of the current instruction in accordance with a set of one or more policies.
In accordance with one aspect of the techniques described herein is a method of processing instructions comprising: receiving, for metadata processing, a current instruction with an associated metadata tag, said metadata processing being performed in a metadata processing domain isolated from a code execution domain including the current instruction; determining, in the metadata processing domain and in accordance with the metadata tag and the current instruction, whether a rule exists in a rule cache for the current instruction, said rule cache including rules on metadata used by said metadata processing to define allowed operations; and responsive to determining no rule exists in the rule cache for the current instruction, performing rule cache miss processing in the metadata processing domain comprising: determining whether execution of the current instruction is allowed; responsive to determining the current instruction is allowed to be executed in the code execution domain, generating a new rule for the current instruction; and responsive to writing to a register, inserting the new rule into the rule cache.
The metadata processing may be implemented by a metadata processing hierarchy comprising a control module, a masking module, a hash module, a rule cache lookup module, and/or an output tag module.
Claims Coverage
Independent claims identified: claim 1 (method) and claim 10 (system). The following extracts list the main inventive features explicit in those independent claims.
Metadata processing domain isolated from code execution domain
receiving a current instruction for metadata processing performed in a metadata processing domain that is isolated from a code execution domain, including the current instruction, by constraining communication between the metadata processing domain and the code execution domain to occur through one or more control state registers (CSRs), wherein communication is constrained by preventing instructions of executing code from reading or writing metadata tags or rules to/from the one or more CSRs based upon a protection level of the executing code;
Policy enforcement including complete instruction sequences
determining, by the metadata processing domain in connection with metadata for the current instruction, whether to allow execution of the current instruction in accordance with a set of one or more policies, wherein the one or more policies includes a set of rules that enforces execution of a complete sequence of instructions in a specified order from a first instruction of the complete sequence to a last instruction of the complete sequence,
Metadata processing hierarchy with control, masking, hash, and lookup modules
wherein the metadata processing of the current instruction is implemented by a metadata processing hierarchy comprising a control module that controls rule insertion into a rule cache based upon received Programmable Unit for Metadata Processing (PUMP) inputs associated with the current instruction, wherein the control module is configured to utilize (i) a masking module that masks out unused PUMP inputs based upon a mode of the one or more CSRs, (ii) a hash module that generates a hash used during rule cache lookup of the set of the rules, (iii) a rule cache lookup module that utilizes the hash, and (iv) an output tag module that outputs selected metadata tags and the mode of the one or more CSRs based on a threshold for PUMP operation;
Rule generation and insertion on allowed execution
responsive to determining to allow communication with the one or more CSRs and allow execution of the current instruction in the code execution domain, generating a new rule for the current instruction based upon the selected metadata tags and inserting the new rule into the rule cache.
System storing code to perform the metadata-processing method
a memory comprising code stored therein that, when executed by the at least one processor, performs a method of processing instructions comprising: receiving, for metadata processing, a current instruction with an associated metadata tag, said metadata processing being performed in a metadata processing domain isolated from a code execution domain including the current instruction; determining, in the metadata processing domain and in accordance with the metadata tag and the current instruction, whether a rule exists in a rule cache for the current instruction, said rule cache including rules on metadata used by said metadata processing to define allowed operations; and responsive to determining no rule exists in the rule cache for the current instruction, performing rule cache miss processing in the metadata processing domain comprising: determining whether execution of the current instruction is allowed; responsive to determining the current instruction is allowed to be executed in the code execution domain, generating a new rule for the current instruction; and responsive to writing to a register, inserting the new rule into the rule cache.
Logic-based hierarchy modules in the system claim
wherein the metadata processing of the current instruction is implemented by a metadata processing hierarchy comprising a logic-based control module that controls rule insertion into a rule cache based upon received Programmable Unit for Metadata Processing (PUMP) inputs associated with the current instruction, wherein the control module is configured to utilize (i) a logic-based masking module that masks out unused PUMP inputs based upon a mode of the one or more CSRs, (ii) a logic-based hash module that generates a hash used during rule cache lookup of the set of rules, (iii) a logic-based rule cache lookup module that utilizes the hash, and (iv) a logic-based output tag module that outputs selected metadata tags and the mode of the one or more CSRs based on a threshold for PUMP operation;
The independent claims present a PUMP-based metadata-processing architecture that isolates metadata handling from code execution via CSRs, enforces policies including ordered instruction sequences, implements a modular metadata-processing hierarchy (control/masking/hash/lookup/output), and specifies generation and insertion of new rules into a hardware rule cache when execution is allowed.
Stated Advantages
Provides a flexible security architecture that can be quickly adapted to an ever-changing landscape.
Provides support for software-defined metadata processing with minimal overhead.
Extensible to generally support and enforce any number and type of policies without placing a visible, hard bound on the number of bits allocated to metadata.
Allows metadata to be propagated during execution to enforce policies and catch violations such as by malicious code or malware attacks.
Hardware rule cache and micro-architectural optimizations reduce runtime, energy, and power overheads compared to naïve implementations (examples reported: typical runtime under 10%, power ceiling impact about 10%, typical energy overhead around 60% with optimized design).
Documented Applications
Non-Executable Data and Non-Writable Code (NXD+NWC) policy that uses tags to distinguish code from data in memory and provides protection against simple code injection attacks.
Memory Safety policy that detects spatial and temporal violations in heap-allocated memory, extending with an effectively unlimited number of colors for taint marks.
Control-Flow Integrity (CFI) policy that restricts indirect control transfers to only the allowed edges in a program's control flow graph, preventing return-oriented-programming-style attacks.
Fine-grained Taint Tracking policy where each word can potentially be tainted by multiple sources (libraries and I/O streams) simultaneously.
Composition of multiple policies simultaneously (e.g., the Composite policy that enforces spatial/temporal memory safety, taint tracking, control-flow integrity, and code/data separation).
Use with conventional processors (e.g., RISC-CPU), GPUs, vector processors, and integration as a pipeline stage or as a standalone metadata-processing subsystem.
Application to broader policy classes including information-flow control, fine-grained access control, integrity, synchronization, race detection, debugging, application-specific policies, and controlled generation and execution of dynamic code, as described.
Interested in licensing this patent?