Policy-managed secure code execution and messaging for computing devices and computing device security
First Claim
1. A system for secure transmission and managed execution of executable code within an encrypted file bundle on a computing device, the system comprising:
- a file identifier for identifying the encrypted file bundle containing executable code;
a secure memory for storing executable code as independent trusted applications;
a policy server coupled to the secure memory and communicatively coupled to the file identifier via an encrypted backchannel, for adjudicating requests from a requestor regarding permissibility of execution of the executable code within the file bundle, where the adjudication of the request is completely hidden from the requestor;
a decryption key stored in the secured memory for decrypting the encrypted file bundle and for storing the decrypted executable code in the secure memory when the policy server approves a request to execute the executable code within the file bundle;
a policy enforcement point for each independent trusted application coupled to the policy server for enforcing policy decisions from the policy server pertaining to the execution of the trusted application; and
at least one processor coupled to the policy enforcement points for executing the decrypted executable code as independent trusted applications.
0 Assignments
0 Petitions
Accused Products
Abstract
A system for policy-managed secure code execution and messaging for computing devices where each trusted application is managed independently of others and is not visible to unauthorized inspection or execution. If a file bundle received by the system contains metadata concerning the context of the file or its execution, the metadata is decrypted if necessary. If the file bundle containing the executable code is encrypted, its key is stored in a policy server to await adjudication of the request to execute. If the policy server allows execution of the executable code, the key stored in the policy server is used to decrypt the file bundle and the resulting executable code is stored as a trusted application in secure memory. Future requests to execute the trusted application are adjudicated by the policy server and enforced by the exclusive policy execution point associated with that trusted application in secure memory.
118 Citations
9 Claims
-
1. A system for secure transmission and managed execution of executable code within an encrypted file bundle on a computing device, the system comprising:
-
a file identifier for identifying the encrypted file bundle containing executable code; a secure memory for storing executable code as independent trusted applications; a policy server coupled to the secure memory and communicatively coupled to the file identifier via an encrypted backchannel, for adjudicating requests from a requestor regarding permissibility of execution of the executable code within the file bundle, where the adjudication of the request is completely hidden from the requestor; a decryption key stored in the secured memory for decrypting the encrypted file bundle and for storing the decrypted executable code in the secure memory when the policy server approves a request to execute the executable code within the file bundle; a policy enforcement point for each independent trusted application coupled to the policy server for enforcing policy decisions from the policy server pertaining to the execution of the trusted application; and at least one processor coupled to the policy enforcement points for executing the decrypted executable code as independent trusted applications. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for secure transmission and managed execution of executable code within an encrypted file bundle on a computing device, the steps comprising:
-
intercepting a request from a requestor to execute executable code within an encrypted file bundle where the interception is hidden from the requestor; receiving the request at a policy server; retrieving the encrypted file bundle and a decryption key to the encrypted file bundle; extracting the decryption key from the encrypted file bundle and storing said decryption key in a secure memory; adjudicating the request at the policy server where the adjudication is hidden from the requestor; retrieving the decryption key from the secure memory and decrypting the encrypted file bundle when the request to execute the executable code is granted; storing the decrypted executable code within the file bundle in the secure memory as independent trusted applications; enforcing the policy rules as indicated by the policy server; and executing the executable code as independent trusted applications. - View Dependent Claims (8, 9)
-
Specification