Policy-managed secure code execution and messaging for computing devices and computing device security

US 10,462,185 B2
Filed: 09/04/2015
Issued: 10/29/2019
Est. Priority Date: 09/05/2014
Status: Active Grant

First Claim

Patent Images

1. A system for secure transmission and managed execution of executable code within an encrypted file bundle on a computing device, the system comprising:

a file identifier for identifying the encrypted file bundle containing executable code;

a secure memory for storing executable code as independent trusted applications;

a policy server coupled to the secure memory and communicatively coupled to the file identifier via an encrypted backchannel, for adjudicating requests from a requestor regarding permissibility of execution of the executable code within the file bundle, where the adjudication of the request is completely hidden from the requestor;

a decryption key stored in the secured memory for decrypting the encrypted file bundle and for storing the decrypted executable code in the secure memory when the policy server approves a request to execute the executable code within the file bundle;

a policy enforcement point for each independent trusted application coupled to the policy server for enforcing policy decisions from the policy server pertaining to the execution of the trusted application; and

at least one processor coupled to the policy enforcement points for executing the decrypted executable code as independent trusted applications.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for policy-managed secure code execution and messaging for computing devices where each trusted application is managed independently of others and is not visible to unauthorized inspection or execution. If a file bundle received by the system contains metadata concerning the context of the file or its execution, the metadata is decrypted if necessary. If the file bundle containing the executable code is encrypted, its key is stored in a policy server to await adjudication of the request to execute. If the policy server allows execution of the executable code, the key stored in the policy server is used to decrypt the file bundle and the resulting executable code is stored as a trusted application in secure memory. Future requests to execute the trusted application are adjudicated by the policy server and enforced by the exclusive policy execution point associated with that trusted application in secure memory.

118 Citations

9 Claims

1. A system for secure transmission and managed execution of executable code within an encrypted file bundle on a computing device, the system comprising:
- a file identifier for identifying the encrypted file bundle containing executable code;
  
  a secure memory for storing executable code as independent trusted applications;
  
  a policy server coupled to the secure memory and communicatively coupled to the file identifier via an encrypted backchannel, for adjudicating requests from a requestor regarding permissibility of execution of the executable code within the file bundle, where the adjudication of the request is completely hidden from the requestor;
  
  a decryption key stored in the secured memory for decrypting the encrypted file bundle and for storing the decrypted executable code in the secure memory when the policy server approves a request to execute the executable code within the file bundle;
  
  a policy enforcement point for each independent trusted application coupled to the policy server for enforcing policy decisions from the policy server pertaining to the execution of the trusted application; and
  
  at least one processor coupled to the policy enforcement points for executing the decrypted executable code as independent trusted applications.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the file bundle contains additional contextual information or metadata.
  - 3. The system of claim 2, wherein the contextual information is encrypted using an encryption key or encryption protocol different from the encryption key for the executable portion of the file bundle.
  - 4. The system of claim 1, wherein each policy enforcement point is coupled to the policy server via a shared applications programming interface.
  - 5. The system of claim 1, wherein each policy enforcement point is coupled to the policy server exclusively through a separate applications programming interface via each independent policy enforcement point.
  - 6. The system of claim 1, wherein each policy enforcement point is coupled to an independent policy server through a separate applications programming interface via each independent policy enforcement point.

7. A method for secure transmission and managed execution of executable code within an encrypted file bundle on a computing device, the steps comprising:
- intercepting a request from a requestor to execute executable code within an encrypted file bundle where the interception is hidden from the requestor;
  
  receiving the request at a policy server;
  
  retrieving the encrypted file bundle and a decryption key to the encrypted file bundle;
  
  extracting the decryption key from the encrypted file bundle and storing said decryption key in a secure memory;
  
  adjudicating the request at the policy server where the adjudication is hidden from the requestor;
  
  retrieving the decryption key from the secure memory and decrypting the encrypted file bundle when the request to execute the executable code is granted;
  
  storing the decrypted executable code within the file bundle in the secure memory as independent trusted applications;
  
  enforcing the policy rules as indicated by the policy server; and
  
  executing the executable code as independent trusted applications.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7 further including the steps:
    - detecting if the encrypted file bundle contains metadata; and
      
      transmitting the metadata to the policy server.
  - 9. The method of claim 7 further including the steps:
    - detecting if the encrypted file bundle contains metadata;
      
      decrypting the metadata before adjudicating the request at the policy server when the file bundle contains metadata and the metadata is encrypted; and
      
      transmitting the decrypted metadata to the policy server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sequitur Labs, Inc.
Original Assignee
Sequitur Labs, Inc.
Inventors
Attfield, Philip, Schaffner, Daniel, Hendrick, Michael Thomas
Primary Examiner(s)
Patel, Haresh N

Application Number

US15/503,667
Publication Number

US 20170244759A1
Time in Patent Office

1,516 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/57   Certifying or maintaining t...

G06F 2221/034   Test or assess a computer o...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/0894   Escrow, recovery or storing...

H04W 12/03   Protecting confidentiality,...

Policy-managed secure code execution and messaging for computing devices and computing device security

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-managed secure code execution and messaging for computing devices and computing device security

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links