Kernel cryptographic module signature verification system and method

US 20050005101A1
Filed: 07/03/2003
Published: 01/06/2005
Est. Priority Date: 07/03/2003
Status: Abandoned Application

First Claim

Patent Images

1. A computer system comprising:

a processor;

a memory storage unit;

an operating system comprising a kernel, said kernel comprising a plurality of kernel modules, said kernel modules comprising signature information; and

a kernel module signature verification system for verifying said kernel module signature information of each of said plurality of kernel modules as said plurality of kernel modules are loaded into said kernel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer operating system having a kernel with a kernel module signature verification unit is described herein. The kernel module signature verification unit automatically monitors kernel module signature path and extracts the signature information provided by each module attempting to load to the kernel. The signature information captured from the kernel module path is retrieved by a kernel cryptographic framework to verify the signature information provided by a kernel cryptographic framework daemon when the same kernel module attempts to register its routines and mechanisms with the kernel cryptographic framework.

53 Citations

View as Search Results

36 Claims

1. A computer system comprising:
- a processor;
  
  a memory storage unit;
  
  an operating system comprising a kernel, said kernel comprising a plurality of kernel modules, said kernel modules comprising signature information; and
  
  a kernel module signature verification system for verifying said kernel module signature information of each of said plurality of kernel modules as said plurality of kernel modules are loaded into said kernel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer system of claim 1, wherein said kernel module signature information is generated via a public key and a private key compilation in said kernel module.
  - 3. The computer system of claim 2, wherein said kernel module signature information comprises signature length data unique to each of said plurality of kernel modules, said signature length data used by said kernel module signature verification system in uniquely identifying each of said plurality of kernel modules.
  - 4. The computer system of claim 3, wherein said kernel module signature information further comprises signature size data for further uniquely identifying each of said kernel module.
  - 5. The computer system of claim 4, wherein said kernel module signature verification system comprises a kernel cryptographic framework for verifying said kernel module signature information.
  - 6. The computer system of claim 5, wherein said kernel module signature verification system further comprises a kernel cryptographic framework daemon for performing verification lookup operations of signature information provided to said kernel cryptographic framework in said kernel.
  - 7. The computer system of claim 6, wherein said kernel cryptographic framework daemon further performs module verification of said plurality of kernel modules.
  - 8. The computer system of claim 7, wherein said kernel cryptographic framework retrieves pathname information of said signature information for each of said plurality of kernel modules when said plurality of kernel modules attempt to load up to said kernel to perform cryptographic operations.
  - 9. The computer system of claim 8, wherein said kernel cryptographic framework comprises a cryptographic service provider registration unit for registering each of said plurality of kernel modules wishing to provide cryptographic services in said kernel.
  - 10. The computer system of claim 9, wherein said kernel cryptographic framework further comprises a intra-kernel communication unit for enabling communications between said kernel cryptographic framework and said kernel cryptographic framework daemon.
  - 11. The computer system of claim 10, wherein said kernel cryptographic framework further comprises a data structure unit for storing said kernel module signature information.

12. A computer operating system comprising:
- a memory storage unit;
  
  a kernel, said kernel comprising a plurality of kernel modules; and
  
  a kernel module signature verification system for verifying signature information of said plurality of kernel modules.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 13. The computer operating system of claim 12, wherein said kernel signature information comprises kernel signature data for uniquely identifying each one of said plurality of kernel modules.
  - 14. The computer operating system of claim 13, wherein said kernel signature information further comprises signature length data for further uniquely identifying each one of said plurality of kernel modules.
  - 15. The computer operating system of claim 14, wherein said kernel signature information further comprises signature size data for each of said plurality of kernel modules.
  - 16. The computer operating system of claim 15, wherein said kernel module signature verification system comprises a kernel cryptographic framework for authorizing and verifying signature information of kernel cryptographic modules loading into said kernel to provide kernel cryptographic services.
  - 17. The computer operating system of claim 16, wherein said kernel module signature verification system further comprises a kernel cryptographic framework daemon.
  - 18. The computer operating system of claim 17, wherein said kernel cryptographic framework daemon performs module verification of said plurality of kernel modules.
  - 19. The computer operating system of claim 18, wherein said kernel cryptographic framework retrieves pathname information of said signature information for each of said plurality of kernel modules when said plurality of kernel modules attempt to load up to said kernel to perform cryptographic operations.
  - 20. The computer operating system of claim 19, wherein said kernel cryptographic framework comprises a cryptographic service provider registration unit for registering each of said plurality of kernel modules wishing to provide cryptographic services in said kernel.
  - 21. The computer operating system of claim 20, wherein said kernel cryptographic framework further comprises an intra-kernel communication unit for enabling communications between said kernel cryptographic framework and said kernel cryptographic framework daemon.
  - 22. The computer operating system of claim 21, wherein said kernel cryptographic framework further comprises a data structure unit for storing said kernel module signature information.
  - 23. The computer operating system of claim 22, wherein said kernel cryptographic framework and said kernel cryptographic framework daemon communicate via a plurality of input/output control commands.
  - 24. The computer operating system of claim 23, wherein said input/output control commands comprise a door create command for creating a plurality of cryptographic doors for enabling communication between said kernel cryptographic framework and said kernel cryptographic framework daemon.

25. In a computer system, a computer software implemented kernel module signature verification system, comprising:
- kernel cryptographic framework for verifying signatures uniquely defining each of a plurality of kernel cryptographic modules; and
  
  kernel cryptographic framework daemon for performing module verification for each of said plurality of kernel cryptographic modules.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The kernel module signature verification system of claim 25, wherein said kernel cryptographic framework daemon retrieves pathname information of said signature information for each of said plurality of kernel modules when said plurality of kernel modules attempt to load up to said kernel to perform cryptographic operations.
  - 27. The kernel module signature verification system of claim 26, wherein said kernel cryptographic framework comprises a cryptographic service provider registration unit for registering each of said plurality of kernel modules wishing to provide cryptographic services in said kernel.
  - 28. The kernel module signature verification system of claim 27, wherein said kernel cryptographic framework further comprises an intra-kernel communication unit for enabling communications between said kernel cryptographic framework and said kernel cryptographic framework daemon.
  - 29. The kernel module signature verification system of claim 28, wherein said kernel cryptographic framework further comprises a data structure unit for storing said kernel module signature information.
  - 30. The kernel module signature verification system of claim 29, wherein said kernel cryptographic framework and said kernel cryptographic framework daemon communicate via a plurality of input/output control commands.

31. A method of verifying and authenticating kernel cryptographic modules, said method comprising:
- providing a kernel cryptographic framework for verifying signature data in each of a plurality of kernel cryptographic modules; and
  
  providing a kernel cryptographic framework for communicating with said kernel cryptographic framework for performing module verification of said plurality of kernel cryptographic modules.
- View Dependent Claims (32, 33, 34, 35, 36)
- - 32. The method of claim 31, wherein said kernel cryptographic framework daemon creates an unnamed door that is passed to establish communication between said kernel cryptographic framework and said kernel cryptographic framework daemon.
  - 33. The method of claim 32, wherein said kernel cryptographic framework accepts registration requests from a requesting kernel module of said plurality of kernel cryptographic modules to register as cryptographic service providers.
  - 34. The method of claim 33, wherein said kernel cryptographic framework daemon verifies signature data contained in each of said plurality of kernel cryptographic modules after said requesting kernel module has registered with said kernel cryptographic framework.
  - 35. The method of claim 34, wherein said kernel cryptographic framework daemon passes results from verifying said signature data of said requesting kernel module to said kernel cryptographic framework.
  - 36. The method of claim 35, wherein said kernel cryptographic framework verifies whether said results from verifying said signature data of said requesting kernel module compares with signature information stored in said kernel cryptographic framework to authenticate said requesting kernel module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Yenduri, Bhargava K.

Application Number

US10/613,636
Publication Number

US 20050005101A1
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

Kernel cryptographic module signature verification system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Kernel cryptographic module signature verification system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links