Trusted execution environment extensible computing device interface

US 10,097,513 B2
Filed: 09/14/2014
Issued: 10/09/2018
Est. Priority Date: 09/14/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing an interface platform including a non-extensible interface and a plurality of extensible interfaces, each of the plurality of extensible interfaces specifically configured to communicate with an associated application or service within a third party environment in a format specific to the associated application or service, and the non-extensible interface providing a single extension point for a plurality of applications or services in a client environment to communicate with third party applications or services in the third party environment;

identifying a priority of the plurality of applications or services to be executed within the client environment, wherein the plurality of applications or services includes a first application or a first service having a higher priority than a background application or background service;

receiving from the first application or first service among the plurality of applications or services within the client environment, via the non-extensible interface, a first request to establish a first communication with a second application or second service within the third party environment, the first request includes a first message in a first format, and wherein the first application or first service has a first security policy and the second application or second service has a second security policy that is different from the first security policy;

receiving from the background application or background service among the plurality of applications or services within the client environment, via the non-extensible interface, a second request to establish a second communication with a third application or third service within the third party environment, wherein the second request includes a second message;

selecting, from the plurality of extensible interfaces, a first extensible interface being associated with the second application or second service within the third party environment;

selecting, from the plurality of extensible interfaces, a second extensible interface being associated with the third application or third service within the third party environment;

modifying, by the first extensible interface, the first format of the first message to a second format of the first message, based at least in part on the first security policy and the second security policy;

establishing, via the first extensible interface, the first communication between the first application or first service and the second application or second service;

establishing, via the second extensible interface, the second communication between the background application or background service and the third application or third service;

transmitting, via the first communication, the second format of the first message to the second application or second service prior to transmitting, via the second communication, the second message to the third application or third service in response to the first application or the first service having the higher priority than the background application or background service; and

transmitting and receiving data between the first application or first service and the second application or second service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Constructs to define a Trusted Execution Environment Driver that can implement a standard communication interface in a first environment for discovering and/or exchanging messages with secure applications/services executed in a Trusted Execution Environment (TrEE). The first environment can represent an environment with a different security policy from the TrEE. The TrEE driver can include a standard interface and/or mechanism by which applications/services and drivers within a first environment can access secure applications/services in the TrEE, a standard interface and/or mechanism by which third-party vendors can expose their TrEE applications/services to a first environment, a standard interface and/or mechanism by which a TrEE can request applications/services, on its own behalf, from the first environment, and a standard interface and/or mechanism to facilitate the management of secure application/services and/or provide I/O prioritization and security protection for individual secure applications/services.

66 Citations

View as Search Results

18 Claims

1. A method comprising:
- providing an interface platform including a non-extensible interface and a plurality of extensible interfaces, each of the plurality of extensible interfaces specifically configured to communicate with an associated application or service within a third party environment in a format specific to the associated application or service, and the non-extensible interface providing a single extension point for a plurality of applications or services in a client environment to communicate with third party applications or services in the third party environment;
  
  identifying a priority of the plurality of applications or services to be executed within the client environment, wherein the plurality of applications or services includes a first application or a first service having a higher priority than a background application or background service;
  
  receiving from the first application or first service among the plurality of applications or services within the client environment, via the non-extensible interface, a first request to establish a first communication with a second application or second service within the third party environment, the first request includes a first message in a first format, and wherein the first application or first service has a first security policy and the second application or second service has a second security policy that is different from the first security policy;
  
  receiving from the background application or background service among the plurality of applications or services within the client environment, via the non-extensible interface, a second request to establish a second communication with a third application or third service within the third party environment, wherein the second request includes a second message;
  
  selecting, from the plurality of extensible interfaces, a first extensible interface being associated with the second application or second service within the third party environment;
  
  selecting, from the plurality of extensible interfaces, a second extensible interface being associated with the third application or third service within the third party environment;
  
  modifying, by the first extensible interface, the first format of the first message to a second format of the first message, based at least in part on the first security policy and the second security policy;
  
  establishing, via the first extensible interface, the first communication between the first application or first service and the second application or second service;
  
  establishing, via the second extensible interface, the second communication between the background application or background service and the third application or third service;
  
  transmitting, via the first communication, the second format of the first message to the second application or second service prior to transmitting, via the second communication, the second message to the third application or third service in response to the first application or the first service having the higher priority than the background application or background service; and
  
  transmitting and receiving data between the first application or first service and the second application or second service.
- View Dependent Claims (2, 3, 4, 8, 9, 10)
- - 2. The method of claim 1, wherein the third party environment comprises at least one of an operating system, a hypervisor layer, or firmware.
  - 3. The method of claim 1, further comprising:
    - identifying an Access Control List (ACL) associated with the third party environment, the ACL including ACL permissions;
      
      verifying, by the ACL, that the first application or first service is permitted to access the second application or second service, wherein establishing the communication between the first application or first service and the second application or second service is further based on the ACL permissions.
  - 4. The method of claim 3, wherein the ACL includes at least one security policy associated with an individual application or service within the third party environment.
  - 8. The method of claim 1, wherein the first extensible interface includes a plug-in driver to the second application or second service within the third party environment.
  - 9. The method of claim 8, further comprising receiving a registration associated with the plug-in driver, wherein the registration allows the interface platform to react to presences or departures of the first application or first service or the second application or second service.
  - 10. The method of claim 1, further comprising:
    - modifying, by a third extensible interface, a third format of the second message to a fourth format of the second message, based at least in part on a background security policy of the background application or background service and a third security policy of the third application or third service, wherein the background security policy is different from the third security policy; and
      
      wherein transmitting the second message further includes transmitting the fourth format of the second message to the third application or third service.

5. A computer-readable storage device having computer-executable instructions thereon that, upon execution, configure a computer to perform operations comprising:
- providing an interface platform including a non-extensible interface and a plurality of extensible interfaces, each of the plurality of extensible interfaces operable to communicate with an associated application or service in a first environment in a specific message format, and the non-extensible interface providing a single extension point for a plurality of applications or services in a second environment to communicate with third party applications or services in the first environment;
  
  identifying a priority of the plurality of applications or services to be executed within the second environment, wherein the plurality of applications or services includes a first application or a first service having a higher priority than a background application or background service;
  
  receiving, via the non-extensible interface, a first request from the first application or first service among the plurality of applications or services within the second environment to establish a first communication with a second application or second service within the first environment, the first request includes a first message in a first format, and wherein the first environment has a first security policy and the second environment has a second security policy that is different from the first security policy;
  
  receiving from the background application or background service among the plurality of applications or services within the second environment, via the non-extensible interface, a second request to establish a second communication with a third application or third service within the first environment, wherein the second request includes a second message;
  
  selecting, from the plurality of extensible interfaces, a first extensible interface being associated with the second application or second service within the first environment;
  
  selecting, from the plurality of extensible interfaces, a second extensible interface being associated with the third application or third service within the first environment;
  
  modifying, by the first extensible interface, the first format of the first message to a second format of the first message, based at least in part on the first security policy and the second security policy;
  
  establishing, via the first extensible, the first communication between the first application or the first service and the second application or the second service;
  
  establishing, via the second extensible interface, the second communication between the background application or background service and the third application or third service;
  
  transmitting, via the first communication, the second format of the first message to the second application or the second service prior to transmitting, via the second communication, the second message to the third application or third service in response to the first application or the first service having the higher priority than the background application or background service; and
  
  transmitting and receiving data between the first application or first service and the second application or second service, in response to establishing the first communication.
- View Dependent Claims (6, 7)
- - 6. The computer-readable storage device of claim 5, wherein the first security policy is a higher level security policy than the second security policy.
  - 7. The computer-readable storage device as claim 5, wherein the first or second message comprises a request to access a resource in the first environment, the resource including at least one of an application, a storage facility, or a service.

11. A system comprising:
- one or more processors, and a computer-readable storage device coupled to the one or more processors, the computer-readable storage device including one or more modules that are executable by the one or more processors to;
  
  provide an interface platform including a non-extensible interface and a plurality of extensible interfaces, each of the plurality of extensible interfaces specifically configured to communicate with an associated application or service within a third party environment in a format specific to the associated application or service, and the non-extensible interface providing a single extension point for a plurality of applications or services in a client environment to communicate with third party applications or services in the third party environment;
  
  identify a priority of the plurality of applications or services to be executed within the client environment, wherein the plurality of applications or services includes a first application or a first service having a higher priority than a background application or background service;
  
  receiving from the first application or first service among the plurality of applications or services within the client environment, via the non-extensible interface, a first request to establish a first communication with a second application or second service within the third party environment, the first request includes a first message in a first format, and wherein the first application or first service has a first security policy and the second application or second service has a second security policy that is different from the first security policy;
  
  receiving from the background application or background service among the plurality of applications or services within the client environment, via the non-extensible interface, a second request to establish a second communication with a third application or third service within the third party environment, wherein the second request includes a second message;
  
  selecting, from the plurality of extensible interfaces, a first extensible interface being associated with the second application or second service within the third party environment;
  
  selecting, from the plurality of extensible interfaces, a second extensible interface being associated with the third application or third service within the third party environment;
  
  modifying, by the first extensible interface, the first format of the first message to a second format of the first message, based at least in part on the first security policy and the second security policy;
  
  establishing, via the first extensible interface, the first communication between the first application or first service and the second application or second service;
  
  establishing, via the second extensible interface, the second communication between the background application or background service and the third application or third service;
  
  transmitting, via the first communication, the second format of the first message to the second application or second service prior to transmitting, via the second communication, the second message to the third application or third service in response to the first application or the first service having the higher priority than the background application or background service; and
  
  transmitting and receiving data between the first application or first service and the second application or second service.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 11, wherein the order of establishing the first communication interface and the second communication interface is further based at least in part on power management requirements associated with the first environment.
  - 14. The system of claim 11, wherein, prior to receiving the first request from the first application or service in the first environment, the one or more modules are further executable by the one or more processors to:
    - receive a query from a client environment for a list of dependencies associated with executing the second application or second service with the trusted execution environment, the list of dependencies comprising a sequence of operations to access the second application or second service.
  - 15. The system of claim 11, wherein, prior to establishing the non-extensible interface between the first application or first service and the second application or second service, the one or more modules are further executable by the one or more processors to:
    - initiate the sequence of operations to access the second application or second service, based at least in part on the list of dependencies.
  - 16. The system of claim 11, wherein the one or more modules are further executable by the one or more processors to:
    - remove the non-extensible interface between the first application or first service and the second application or second service based at least in part on the sequence of operations to access the second application or second service failing to initiate.
  - 17. The system of claim 11, wherein the non-extensible interface comprises at least one of Trusted Platform Module (TPM) 2.0, Play/Ready Digital Rights Management (DRM), secure variables, or a secure pipeline.
  - 18. The system of claim 11, wherein the extensible interface is implemented by firmware associated with the trusted execution environment.

12. A method comprising:
- providing an interface platform including a non-extensible interface and a plurality of extensible interfaces, each of the plurality of extensible interfaces specifically configured to communicate with an associated application or service within a third party environment in a format specific to the associated application or service, and the non-extensible interface providing a single extension point for multiple different applications or services in a client environment to communicate with the plurality of different applications or services in the third party environment;
  
  receiving from a first application or first service within the client environment, via the non-extensible interface, a first request to establish a communication with a second application or second service within the third party environment, the first request including a message being in a first format, and wherein the first application or first service has a first security policy and the second application or second service has a second security policy that is different from the first security policy;
  
  receiving a list of service dependencies including dependent resources associated with the second application or second service within the third party environment;
  
  determining whether any service dependencies remain inactive;
  
  initiating any inactive service dependencies within the third party environment;
  
  selecting, from the plurality of extensible interfaces, an extensible interface being associated with the second application or second service within the third party environment;
  
  modifying, by the extensible interface, the first format of the message to a second format of the message, based at least in part on the first security policy and the second security policy;
  
  establishing, via the extensible interface, the communication between the first application or first service and the second application or second service; and
  
  transmitting, via the communication, the second format of the message to the second application or second service; and
  
  transmitting and receiving data between the first application or first service and the second application or second service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Barakat, Youssef, Kinshumann, Kinshuman, Perkins, Brian, Moon, Jinsub
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Cohen, Harvey I

Application Number

US14/485,737
Publication Number

US 20160080320A1
Time in Patent Office

1,486 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

H04L 63/00   Network architectures or ne...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Trusted execution environment extensible computing device interface

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted execution environment extensible computing device interface

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links