Agent presence monitor configured to execute in a secure environment

US 20070005957A1
Filed: 06/30/2005
Published: 01/04/2007
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method for confirming an agent presence, the method comprising:

executing a presence verifier from a secure execution environment, wherein the secure execution environment comprises at least one of a service processor, a virtual partition, an embedded microcontroller, and a system management mode;

using the presence verifier to monitor a signal communicated from the agent, wherein the agent is outside the secure execution environment; and

analyzing the signal to determine an operational state of the agent.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of a method and system for detecting and confirming an agent presence are disclosed herein. The agent presence can be confirmed by a secure management engine configured to execute in a secure execution environment. In various embodiments, a secure execution environment includes a service processor, a virtual partition, and an embedded microcontroller. The management engine is configured to monitor a signal communicated from the agent. Based on the monitored signal, an analysis determines an operational state of the agent. Embodiments include remote management applicability for monitoring a host agent.

Citations

25 Claims

1. A method for confirming an agent presence, the method comprising:
- executing a presence verifier from a secure execution environment, wherein the secure execution environment comprises at least one of a service processor, a virtual partition, an embedded microcontroller, and a system management mode;
  
  using the presence verifier to monitor a signal communicated from the agent, wherein the agent is outside the secure execution environment; and
  
  analyzing the signal to determine an operational state of the agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising registering the agent with the presence verifier.
  - 3. The method of claim 1, further comprising communicating the signal from the agent to the presence verifier through a network interface controller.
  - 4. The method of claim 1, further comprising communicating the signal from the agent to the presence verifier through a hardware driver interfacing with registers associated with the secure execution environment.
  - 5. The method of claim 1, further comprising using the presence verifier to monitor an encrypted signal communicated from the agent.
  - 6. The method of claim 5, further comprising using the presence verifier to authenticate the encrypted signal.
  - 7. The method of claim 1, further comprising registering the agent by generating a cryptographic hash of an identification region associated with an identity of the agent.
  - 8. The method of claim 1, further comprising using the presence verifier to determine if the agent is executing based on the analysis of the signal.
  - 9. The method of claim 1, further comprising using the presence verifier to monitor a monotonically increasing counter communicated from the agent.
  - 10. The method of claim 1, further comprising using the presence verifier to initiate at least one remediation action in response to a determination that the agent has ceased execution.

11. A computer-readable medium having stored thereon instructions, which when executed in a system confirm an agent presence, wherein the confirmation comprises:
- executing a management engine from a secure execution setting, wherein the secure execution setting comprises at least one of a service processor, a virtual partition, an embedded microcontroller, and a system management mode;
  
  using the management engine to monitor a signal communicated from the agent, wherein the agent is outside the secure execution setting; and
  
  analyzing the signal to determine a condition of the agent.
- View Dependent Claims (18)
- - 18. The medium of claim 11, wherein the confirmation further comprises initiating at least one remediation action in response to a determination that the agent has ceased execution.

12. The medium of the 11, wherein the confirmation further comprises registering the host agent with the management engine.

13. The medium of the 11, wherein the confirmation further comprises communicating the signal from the agent to the management engine through a network interface controller.

14. The medium of the 11, wherein the confirmation further comprises communicating the signal from the agent to the management engine through a hardware driver interfacing at least one register associated with the secure execution setting.

15. The medium of the 11, wherein the confirmation further comprises configuring the agent to issue an encrypted signal to the management engine.
- View Dependent Claims (16)
- - 16. The medium of claim 15, wherein confirmation further comprises configuring the management engine to read the encrypted signal issued from the agent.

17. The medium of the 11, wherein the confirmation further comprises registering the agent by using a one-way cryptographic hash associated with an identification property of the agent.

19. A system configured to validate an agent presence, the system comprising:
- a secure operating environment that comprises at least one of a service processor, a virtual partition, an embedded microcontroller, and a system management partition; and
  
  a management engine configured to execute from the secure operating environment, the management engine further configured to, monitor a signal issued from an agent associated with a host, wherein the agent is outside the secure operating environment; and
  
  determine an operational condition of the agent based on an analysis of the monitored signal.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The system of claim 19, further comprising a network interface controller which provides a communication channel between the agent and the management engine.
  - 21. The system of claim 19, further comprising a hardware driver which provides a communication channel between the agent and the management engine.
  - 22. The system of claim 19, further configured to register the agent with the management engine.
  - 23. The system of claim 19, further configured to register the agent by generating a cryptographic hash associated with an identity of the agent.
  - 24. The system of claim 19, wherein the agent is further configured to issue a monotonically increasing counter signal.
  - 25. The system of claim 19, wherein the agent is further configured to generate an encrypted signal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Schluessler, Travis, Sahita, Ravi, Hahn, Scott

Granted Patent

US 7,669,242 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 2221/2105 Dual mode as a secondary as...

Agent presence monitor configured to execute in a secure environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Agent presence monitor configured to execute in a secure environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links