Secure sensor data transport and processing

US 10,069,826 B2
Filed: 09/19/2017
Issued: 09/04/2018
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A device including sensor-based security, comprising:

secured resources;

sensor circuitry to generate sensor data;

memory circuitry including at least a trusted execution environment comprising access control circuitry to control access to the secured resources based on the sensor data, the access control circuitry including;

matching circuitry to;

compare the sensor data to previously captured sensor data for users permitted to access the secured resources; and

output a match determination based on the comparison; and

output circuitry to, based on the match determination;

permit a user of the device to access the secured resources;

orperform at least one activity associated with a security exception; and

processing circuitry to;

cause execution in the device to be temporarily suspended; and

transfer the sensor data from a first memory location in the memory circuitry associated with the sensor circuitry to a second memory location within the trusted execution environment during the temporary suspension.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is directed to secure sensor data transport and processing. End-to-end security may prevent attackers from altering data during the sensor-based security procedure. For example, following sensor data capture execution in a device may be temporarily suspended. During the suspension of execution, sensor interface circuitry in the device may copy the sensor data from a memory location associated with the sensor to a trusted execution environment (TEE) within the device. The TEE may provide a secure location in which the sensor data may be processed and a determination may be made as to whether to grant access to the secure resources. The TEE may comprise, for example, match circuitry to compare the sensor data to previously captured sensor data for users that are allowed to access the secured resources and output circuitry to grant access to the secured resources or to perform activities associated with a security exception.

Citations

20 Claims

1. A device including sensor-based security, comprising:
- secured resources;
  
  sensor circuitry to generate sensor data;
  
  memory circuitry including at least a trusted execution environment comprising access control circuitry to control access to the secured resources based on the sensor data, the access control circuitry including;
  
  matching circuitry to;
  
  compare the sensor data to previously captured sensor data for users permitted to access the secured resources; and
  
  output a match determination based on the comparison; and
  
  output circuitry to, based on the match determination;
  
  permit a user of the device to access the secured resources;
  
  orperform at least one activity associated with a security exception; and
  
  processing circuitry to;
  
  cause execution in the device to be temporarily suspended; and
  
  transfer the sensor data from a first memory location in the memory circuitry associated with the sensor circuitry to a second memory location within the trusted execution environment during the temporary suspension.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The device of claim 1, wherein the processing circuitry processor is to cause normal execution in the device to be temporarily suspended by causing the device to enter a system management mode.
  - 3. The device of claim 1, further comprising at least an operating system including at least a sensor driver to notify the processing circuitry that sensor data has been generated.
  - 4. The device of claim 3, wherein the sensor driver is further to send a message to a boot code runtime application program interface loaded into the memory circuitry during device boot up.
  - 5. The device of claim 1, further comprising at least sensor interface circuitry to access the memory location associated with the sensor circuitry and transfer the sensor data.
  - 6. The device of claim 5, wherein the sensor interface circuitry includes at least:
    - system management interrupt (SMI) handling circuitry; and
      
      host embedded controller interface circuitry.
  - 7. The device of claim 6, wherein the sensor circuitry includes a biometric sensor to capture biometric data from the user of the device.
  - 8. The device of claim 5, wherein:
    - the memory location associated with the sensor circuitry is fixed in the memory circuitry; and
      
      the processing circuitry is further to provide the memory location associated with the sensor circuitry to the sensor interface circuitry during device boot up.
  - 9. The device of claim 1, wherein the previously captured sensor data for users permitted to access the secured resources is stored within the trusted execution environment.
  - 10. The device of claim 1, wherein the trusted execution environment is based on at least one of Secure Guard Extensions (SGX) technology or Management Engine (ME) technology.

11. A method for sensor-based security, comprising:
- triggering a secured resource access protocol in a device;
  
  capturing sensor data using at least one sensor in the device;
  
  causing processing circuitry in the device to temporarily suspend execution; and
  
  causing the processing circuitry to transfer the sensor data from a first memory location in memory circuitry in the device associated with the at least one sensor to a second memory location in a trusted execution environment in the memory circuitry during the temporary suspension;
  
  comparing, within the trusted execution environment, the sensor data to previously captured sensor data for users permitted to access the secured resources;
  
  outputting, within the trusted execution environment, a match determination based on the comparison; and
  
  based on the match determination;
  
  permitting a user of the device to access the secured resources;
  
  orperforming at least one activity associated with a security exception.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the causing the processing circuitry to transfer the sensor data from a first memory location in memory circuitry in the device associated with the at least one sensor to a second memory location in a trusted execution environment in the memory circuitry during the temporary suspension comprises:
    - accessing, via sensor interface circuitry, a first memory location in memory circuitry in the device associated with the at least one sensor; and
      
      copying, by the sensor interface circuitry, the sensor data from the first memory location to a second memory location in a trusted execution environment in the memory circuitry during the temporary suspension.
  - 13. The method of claim 12, wherein:
    - the first memory location is fixed in the memory circuitry; and
      
      the method further comprises causing the processing circuitry to provide the first memory location to the sensor interface circuitry during device boot up.
  - 14. The method of claim 13, wherein the at least one sensor includes a biometric sensor to capture biometric data from the user of the device.
  - 15. The method of claim 11, wherein the previously captured sensor data for users permitted to access the secured resources is stored within the trusted execution environment.

16. One or more non-transitory machine-readable storage devices having instructions stored thereon which, when executed by at least one processor, cause the at least one processor to perform operations for sensor-based security comprising:
- trigger a secured resource access protocol in a device;
  
  capture sensor data using at least one sensor in the device;
  
  temporarily suspend execution;
  
  transfer the sensor data from a first memory location in memory circuitry in the device associated with the at least one sensor to a second memory location in a trusted execution environment in the memory circuitry during the temporary suspension;
  
  compare, within the trusted execution environment, the sensor data to previously captured sensor data for users permitted to access secured resources;
  
  output, within the trusted execution environment, a match determination based on the comparison; and
  
  based on the match determination;
  
  permit a user of the device to access the secured resources;
  
  orperform at least one activity associated with a security exception.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more non-transitory machine-readable storage devices of claim 16, wherein the instructions resulting in the operations transfer the sensor data from a first memory location in memory circuitry in the device associated with the at least one sensor to a second memory location in a trusted execution environment in the memory circuitry during the temporary suspension, when executed by the at least one processor, cause the at least one processor to perform additional operations comprising:
    - access, via sensor interface circuitry, a first memory location in memory circuitry in the device associated with the at least one sensor; and
      
      copy the sensor data from the first memory location to a second memory location in a trusted execution environment in the memory circuitry during the temporary suspension.
  - 18. The one or more non-transitory machine-readable storage devices of claim 17, wherein:
    - the first memory location is fixed in the memory circuitry; and
      
      the instructions, when executed by the at least one processor, cause the at least one processor to perform additional operations comprising;
      
      provide the first memory location to the sensor interface circuitry during device boot up.
  - 19. The one or more non-transitory machine-readable storage devices of claim 18, wherein the at least one sensor includes a biometric sensor to capture biometric data from the user of the device.
  - 20. The one or more non-transitory machine-readable storage devices of claim 16, wherein the previously captured sensor data for users permitted to access the secured resources is stored within the trusted execution environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Khosravi, Hormuzd M., Coury, Bassam N., Zimmer, Vincent J.
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/709,091
Publication Number

US 20180026981A1
Time in Patent Office

350 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/57   Certifying or maintaining t...

G06F 21/606   by securing the transmissio...

H04L 63/0861   using biometrical features,...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

Secure sensor data transport and processing

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure sensor data transport and processing

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links