Data verification using enclave attestation
First Claim
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor cause the processor to:
- receive untrusted data for input to an application residing in a protected region of memory of an electronic device;
isolate the untrusted data for input from the protected region of memory;
communicate at least a portion of the untrusted data for input over an attestation channel for data integrity verification by a data integrity attestation function that includes a data attestation policy specifying constraints on input values for the application;
receive data integrity verification of the untrusted data for input, based on a determination that the at least a portion of the untrusted data for input conforms to the data attestation policy, via the attestation channel; and
return the verified untrusted data for input to the application for processing.
2 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to receive untrusted input data at an enclave in an electronic device, isolate the untrusted input data from at least a portion of the enclave, communicate at least a portion of the untrusted data to an integrity verification module using an attestation channel, and receive data integrity verification of the untrusted input data from the integrity verification module. The integrity verification module can perform data integrity attestation functions to verify the untrusted data and the data integrity attestation functions include a data attestation policy and a whitelist.
-
Citations
25 Claims
-
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor cause the processor to:
-
receive untrusted data for input to an application residing in a protected region of memory of an electronic device; isolate the untrusted data for input from the protected region of memory; communicate at least a portion of the untrusted data for input over an attestation channel for data integrity verification by a data integrity attestation function that includes a data attestation policy specifying constraints on input values for the application; receive data integrity verification of the untrusted data for input, based on a determination that the at least a portion of the untrusted data for input conforms to the data attestation policy, via the attestation channel; and return the verified untrusted data for input to the application for processing. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
memory, wherein the memory comprises a protected region; and a processor, the processor configured to; receive untrusted data for input to an application residing in a protected region of memory of an electronic device; isolate the untrusted data for input from the protected region of memory; communicate at least a portion of the untrusted data for input over an attestation channel for data integrity verification by a data integrity attestation function that includes a data attestation policy specifying constraints on input values for the application; receive data integrity verification of the untrusted data for input, based on a determination that the at least a portion of the untrusted data for input conforms to the data attestation policy, via the attestation channel; and return the verified untrusted data for input to the application for processing. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
receiving untrusted data for input to an application residing in a protected region of memory of an electronic device; isolating the untrusted data for input from the protected region of memory; communicating at least a portion of the untrusted data for input over an attestation channel for data integrity verification by a data integrity attestation function that includes a data attestation policy specifying constraints on input values for the application; receiving data integrity verification of the untrusted data for input, based on a determination that the at least a portion of the untrusted data for input conforms to the data attestation policy, via the attestation channel; and returning the verified untrusted data for input to the application for processing. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A system for data integrity verification, the system comprising:
-
memory, wherein the memory comprises a protected region; and a processor, the processor configured for; receiving untrusted data for input to an application residing in a protected region of memory of an electronic device; isolating the untrusted data for input from the protected region of memory; communicating at least a portion of the untrusted data for input over an attestation channel for data integrity verification by a data integrity attestation function that includes a data attestation policy specifying constraints on input values for the application; receiving data integrity verification of the untrusted data for input, based on a determination that the at least a portion of the untrusted data for input conforms to the data attestation policy, via the attestation channel; and returning the verified untrusted data for input to the application for processing. - View Dependent Claims (23, 24, 25)
-
Specification