Method and system for secure instantiation of an operation system within the cloud

US 10,154,023 B1
Filed: 12/17/2015
Issued: 12/11/2018
Est. Priority Date: 12/18/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

initiating a first execution environment, the first execution environment comprising a key access protocol for accessing a cipher key; and

,initiating by the first execution environment a virtual machine, the virtual machine stored in encrypted form, the first execution environment accessing the cipher key for deciphering the encrypted form of the virtual machine to allow the virtual machine to be executed,wherein the first execution environment comprises a pre-boot environment comprising a Unix-like virtual machine and wherein the virtual machine comprises an operating system including encryption of portions of the operating system required for execution of the operating system other than a preboot portion thereof within the operating system and requiring password entry prior to decryption of the encrypted portions of the operating system, andwherein the first execution environment controls at least an aspect of the operating system during execution thereof to enter an unsecured password through a keyboard interface to the operating system to continue execution of the virtual machine.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for executing a secure virtual machine stored in encrypted form in IaaS cloud such as Microsoft Azure or Amazon Web Services. A first execution environment comprising a key access protocol for accessing a cipher key is initiated. The first execution environment executes the secure virtual machine by accessing a secret for use in deciphering the encrypted form of the secure virtual machine and providing same to allow the secure virtual machine to be executed.

32 Citations

View as Search Results

14 Claims

1. A method comprising:
- initiating a first execution environment, the first execution environment comprising a key access protocol for accessing a cipher key; and
  
  ,initiating by the first execution environment a virtual machine, the virtual machine stored in encrypted form, the first execution environment accessing the cipher key for deciphering the encrypted form of the virtual machine to allow the virtual machine to be executed,wherein the first execution environment comprises a pre-boot environment comprising a Unix-like virtual machine and wherein the virtual machine comprises an operating system including encryption of portions of the operating system required for execution of the operating system other than a preboot portion thereof within the operating system and requiring password entry prior to decryption of the encrypted portions of the operating system, andwherein the first execution environment controls at least an aspect of the operating system during execution thereof to enter an unsecured password through a keyboard interface to the operating system to continue execution of the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1 comprising:
    - storing by the first execution environment the cipher key within a known memory location prior to initiating the virtual machine.
  - 3. A method according to claim 1 wherein the key protocol comprises providing a token stored within the first execution environment and having an expiry time to a third other virtual machine for authentication and the first virtual environment for, when authenticated, receiving a secret at the first execution environment in response to the authentication.
  - 4. A method according to claim 1 wherein the first execution environment comprises an interface interfacing with a secure key store for retrieving therefrom the cipher key, the interface for performing an integrity check on at least one of the first execution environment and the virtual machine.
  - 5. A method according to claim 1 wherein the first execution environment comprises an interface for interfacing with a user, the interface for demanding user reply.
  - 6. A method according to claim 1 wherein the virtual machine is executed within the first execution environment.
  - 7. A method according to claim 1 wherein the first execution environment is in execution within a first virtual memory space, and wherein the virtual machine is executed by the first execution environment thereby replacing the first execution environment within the first virtual memory space.

8. A method comprising:
- initiating a first execution environment, the first execution environment comprising a key access protocol for accessing a cipher key; and
  
  ,initiating by the first execution environment a virtual machine, the virtual machine stored partially in encrypted form and requiring a secret for decrypting thereof, the first execution environment accessing the secret for deciphering the encrypted form of the virtual machine to allow the virtual machine to continue execution,wherein the first execution environment comprises a security protocol for verifying an initiator thereof to authenticate the initiator as someone permitted to execute the virtual machine,wherein the first execution environment comprises a pre-boot environment comprising a Unix-like virtual machine and wherein the virtual machine comprises an operating system including encryption of portions of the operating system required for execution of the operating system other than a preboot portion thereof within the operating system and requiring password entry prior to decryption of the encrypted portions of the operating system, andwherein the first execution environment controls at least an aspect of the operating system during execution thereof to enter an unsecured password through a keyboard interface to the operating system to continue execution of the virtual machine.
- View Dependent Claims (9, 10, 11)
- - 9. A method according to claim 8 wherein the first execution environment accesses the cipher key via a key management system within a third other virtual machine.
  - 10. A method according to claim 8 wherein the first execution environment verifies the initiator thereof by verifying a token stored therein to determine whether the token has expired.
  - 11. A method according to claim 8 wherein the first execution environment verifies the initiator thereof by providing a token stored therein to a third other virtual machine for authentication and the first execution environment for, when authenticated, receiving the secret from the third other virtual machine.

12. A method comprising:
- initiating a first execution environment within the cloud, the first execution environment comprising a key access protocol for accessing a cipher key and for storing said cipher key within the first execution environment and for executing an operating system stored in encrypted form;
  
  accessing by the first execution environment the cipher key for deciphering the encrypted form of the operating system to allow the operating system to be executed within the first execution environment; and
  
  executing the operating system,wherein the key access protocol comprises a pre-boot environment comprising a Unix-like operating system in execution for accessing a cipher key and for storing said cipher key within the first execution environment and wherein the operating system comprises a first operating system including encryption of portions of the operating system required for execution of the operating system other than a preboot portion thereof within the operating system and requiring password entry prior to decryption of the encrypted portions of the operating system,wherein the first execution environment controls at least an aspect of the operating system during execution thereof to enter an unsecured password through a keyboard interface to the operating system to continue execution of the virtual machine.
- View Dependent Claims (13, 14)
- - 13. A method according to claim 12 wherein:
    - the Unix-like operating system stores the cipher key within a known memory location prior to initiating the first operating system including encryption of portions of the operating system required for execution of the operating system other than a preboot portion thereof within the operating system and requiring password entry prior to decryption of the encrypted portions of the operating system; and
      
      the Unix-like operating system controlling at least an aspect of the first operating system one of before and during execution thereof to enter an unsecured password to the first operating system to support decryption of the first operating system and execution thereof within the first execution environment.
  - 14. A method according to claim 12 wherein the first execution environment comprises a security protocol for authenticating execution of the operating system comprising:
    - providing a token stored within the first execution environment and having an expiry time to a third other virtual machine for authentication and for, when authenticated, receiving a secret in response to the authentication, the secret for use one of for accessing the cipher key and as the cipher key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Nossik, Michael, Bramble, Timothy Roger Masson, McCulligh, Murray, Berfeld, Yuri, Du, Lejin
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US14/972,377
Time in Patent Office

1,090 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45575   Starting, stopping, suspend...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/575   Secure boot

G06F 9/4406   Loading of operating system

G06F 9/4416   Network booting; Remote ini...

G06F 9/45558   Hypervisor-specific managem...

H04L 2463/144   Detection or countermeasure...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/1466   Active attacks involving in...

H04L 67/10   in which an application is ...

Method and system for secure instantiation of an operation system within the cloud

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for secure instantiation of an operation system within the cloud

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links