Protecting cognitive code and client data in a public cloud via deployment of data and executables into a stateless secure partition

US 10,685,106 B2
Filed: 03/10/2018
Issued: 06/16/2020
Est. Priority Date: 03/10/2018
Status: Active Grant

First Claim

Patent Images

1. A method of protecting client data from unauthorized disclosure comprising:

loading appliance code in an appliance which includes a secure virtual machine that uses a set of computing resources;

revoking all access to devices from within the appliance except for a shared memory wherein the appliance code includes an application program interface that uses the shared memory and wherein all access to a logical partition of the appliance is revoked when the partition is activated;

receiving commands, operand data and application data at the appliance via the shared memory;

processing the commands, operand data and application data by the appliance code in the appliance to yield results without recording any application data on persistent media; and

communicating the results of said processing to a client of the appliance via the shared memory.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure cloud computing environment protects the confidentiality of application code from a customer while simultaneously protecting the confidentiality of a customer'"'"'s data from intentional or inadvertent leaks by the application code. This result is accomplished without the need to trust the application code and without requiring human surveillance or intervention. A client secure virtual machine (SVM) is accessible by a client who supplies commands, operand data and application data. An appliance SVM has the application code loaded therein and includes an application program interface that accesses a memory area shared by both SVMs. All access to the appliance SVM is initially revoked by an ultravisor, except for the shared memory. The appliance SVM processes the commands without ever saving any persistent state of the application data. The ultravisor manages an SVM by maintaining exclusive control over a device tree used by the operating system of the SVM.

Citations

17 Claims

1. A method of protecting client data from unauthorized disclosure comprising:
- loading appliance code in an appliance which includes a secure virtual machine that uses a set of computing resources;
  
  revoking all access to devices from within the appliance except for a shared memory wherein the appliance code includes an application program interface that uses the shared memory and wherein all access to a logical partition of the appliance is revoked when the partition is activated;
  
  receiving commands, operand data and application data at the appliance via the shared memory;
  
  processing the commands, operand data and application data by the appliance code in the appliance to yield results without recording any application data on persistent media; and
  
  communicating the results of said processing to a client of the appliance via the shared memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the appliance is a first secure virtual machine, the set of computing resources is a first set of computing resources, and further comprising creating the client which includes a second secure virtual machine that uses a second set of the computing resources, wherein the appliance and client operate in a system environment having a security mode imposed by an ultravisor embodied in microcode, and the client uses the ultravisor to allocate the shared memory and causes the appliance to be started with a token used to access the shared memory.
  - 3. The method of claim 2 wherein the ultravisor maintains exclusive access control over the computing resources and limits access to both the appliance and the client.
  - 4. The method of claim 3 wherein:
    - the ultravisor receives a request from the client to provide the shared memory and responsively creates the token; and
      
      the appliance receives an encrypted version of the token from the client, decrypts the encrypted version using a public key, and requests access to the shared memory from the ultravisor using the token.
  - 5. The method of claim 3 wherein the ultravisor prevents the appliance from communicating with any devices by controlling a device tree used by an operating system of the appliance.
  - 6. The method of claim 1 further comprising:
    - saving all data from a memory of the partition in encrypted persistent storage;
      
      deleting the data from the memory; and
      
      deactivating the partition.
  - 7. The method of claim 1 wherein the appliance is deployed to the partition from a different logical partition.
  - 8. The method of claim 2 wherein the ultravisor prevents any entity other than the client from accessing the appliance while also preventing the client from accessing the appliance code.

9. A secure computing system comprising:
- an appliance including a secure virtual machine constructed from a set of computing resources;
  
  appliance code residing in the appliance; and
  
  means for revoking all access to devices from within the appliance except for a shared memory wherein the appliance code includes an application program interface that uses the shared memory and wherein all access to a logical partition of the appliance is revoked when the partition is activated;
  
  wherein the appliance processes commands, operand data and application data received via the shared memory using the appliance code to yield results without recording any application data on persistent media, and communicates the results to a client of the appliance via the shared memory.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The secure computing system of claim 9 wherein the secure virtual machine is a first secure virtual machine, the set of computing resources is a first set of computing resources, and further comprising a client which includes a second secure virtual machine that uses a second set of the computing resources wherein the appliance and client operate in a system environment having a security mode imposed by an ultravisor embodied in microcode, and the client uses the ultravisor to allocate the shared memory and causes the appliance to be started with a token used to access the shared memory.
  - 11. The secure computing system of claim 9 wherein the ultravisor maintains exclusive access control over the computing resources and limits access to both the appliance and the client.
  - 12. The secure computing system of claim 11 wherein:
    - the ultravisor receives a request from the client to provide the shared memory and responsively creates the token; and
      
      the appliance receives an encrypted version of the token from the client, decrypts the encrypted version using a public key, and requests access to the shared memory from the ultravisor using the token.
  - 13. The secure computing system of claim 11 wherein the ultravisor prevents the appliance from communicating with any devices by controlling a device tree used by an operating system of the appliance.
  - 14. The secure computing system of claim 9 wherein the ultravisor saves all data from a memory of the partition in encrypted persistent storage, deletes the data from the memory, and deactivates the partition.
  - 15. The secure computing system of claim 9 wherein the appliance is deployed to the partition from a different logical partition.
  - 16. The secure computing system of claim 10 wherein the ultravisor prevents any entity other than the client from accessing the appliance while also preventing the client from accessing the appliance code.

17. A computer program product comprising:
- a computer readable storage medium; and
  
  program instructions residing in said storage medium for protecting client data from unauthorized disclosure by loading appliance code in an appliance which includes a secure virtual machine that uses a set of computing resources, revoking all access to devices from within the appliance except for a shared memory wherein the appliance code includes an application program interface that uses the shared memory and wherein said program instructions revoke all access to a logical partition of the appliance when the partition is activated, receiving commands, operand data and application data at the appliance via the shared memory, processing the commands, operand data and application data by the appliance code in the appliance to yield results without recording any application data on persistent media, and communicating the results to a client of the appliance via the shared memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Boivie, Richard H., Bradbury, Jonathan D., Hall, William E., Hunt, Guerney D. H., Leenstra, Jentje, Linton, Jeb R., O'Connor, Jr., James A., Palmer, Elaine R., Pendarakis, Dimitrios
Primary Examiner(s)
Shaw, Peter C

Application Number

US15/917,619
Publication Number

US 20190278907A1
Time in Patent Office

829 Days
Field of Search

726 26
US Class Current
CPC Class Codes

G06F 2009/45579   I/O management, e.g. provid...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/12   Protecting executable software

G06F 21/53   by executing in a restricte...

G06F 21/78   to assure secure storage of...

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/544   Buffers; Shared memory; Pipes

H04L 63/10   for controlling access to d...

H04L 67/10   in which an application is ...

H04L 9/006   involving public key infras...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3234   involving additional secure...

Protecting cognitive code and client data in a public cloud via deployment of data and executables into a stateless secure partition

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting cognitive code and client data in a public cloud via deployment of data and executables into a stateless secure partition

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links