Mobile security system and method

US 20070118880A1
Filed: 11/18/2005
Published: 05/24/2007
Est. Priority Date: 11/18/2005
Status: Active Grant

First Claim

Patent Images

1. A security system for a communications device or network having at least one component, the system comprising:

at least one trust zone correlating to an area of the at least one component, the trust zone determining accessibility by trusted entities and non-trusted entities to the area of the component of the communications device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing a secure environment for mobile telephones and other devices are disclosed. The system and method may utilize trust zoning, layered memory, and a secure matrix model having, for example, a memory protection module for protecting memory; a secure debug module for ensuring security of the debug module; a secure file system module for protecting the secure file system; and a trusted time source module for protecting components. Embodiments of the present invention may protect against security attacks on a variety of hardware and software components while permitting suitable levels of accessibility for developmental and maintenance purposes.

Citations

49 Claims

1. A security system for a communications device or network having at least one component, the system comprising:
- at least one trust zone correlating to an area of the at least one component, the trust zone determining accessibility by trusted entities and non-trusted entities to the area of the component of the communications device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The security system of claim 1, wherein the at least one component further comprises memory.
  - 3. The security system of claim 2, wherein memory comprises layered memory having at least one layer, the at least one layer corresponding to the at least one trust zone.
  - 4. The security system of claim 3, wherein at least one portion of the trust zones in the plurality of trust zones may be accessible by non-trusted entities and at least one portion of the trust zones within the plurality of trust zones may be accessible by trusted entities.
  - 5. The security system of claim 3, wherein layered memory further comprises at least one element selected from a group consisting essentially of system memory;
    - peripheral memory;
      
      application digital signal processor memory; and
      
      flash memory.

6. A security system for a communications environment having a plurality of components, the system comprising:
- a security matrix model having a plurality of modules, each module in the plurality of modules securing at least one component in the plurality of components.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 7. The security system of claim 6, wherein the plurality of components further comprises memory;
    - a debug module; and
      
      a file system.
  - 8. The security system of claim 7, wherein the plurality of modules further comprise:
    - a memory protection module for protecting memory;
      
      a secure debug module for ensuring security of the debug module;
      
      a secure file system module for protecting the secure file system; and
      
      a trusted time source module for protecting at least one component in the plurality of components.
  - 9. The security system of claim 7, wherein the memory protection module further comprises at least one element selected from a group consisting essentially of a predetermined number of main memory memory protection unit blocks;
    - modem processor memory management unit;
      
      a modem subsystem secure mode multiplexer block;
      
      an application digital signal processor memory protection unit;
      
      direct memory access controller security features; and
      
      general purpose input/output expansion interface security features.
  - 10. The security system of claim 9, wherein the main memory memory protection unit blocks further comprise at least one element selected from a group consisting essentially of a first memory protection unit;
    - a second memory protection unit;
      
      a peripheral memory protection unit; and
      
      a NAND memory protection unit.
  - 11. The security system of claim 9, wherein the peripheral memory protection unit further comprises at least one element selected from a group consisting essentially of security violation indication;
    - configuration registers and status registers;
      
      security identification sideband signal receipt.
  - 12. The security system of claim 7, wherein the NAND memory protection unit further comprises at least one element selected from group consisting essentially of NAND flash memory page protection;
    - configuration registers; and
      
      status registers.
  - 13. The security system of claim 9, wherein the direct memory access controller security features further comprise at least one element selected from a group consisting essentially of an embedded memory protection unit;
    - at least one shadow register; and
      
      a security identification.
  - 14. The security system of claim 9, wherein the general purpose input/output expansion interface security features further comprise at least one element selected from a group consisting essentially of at least one shadow register and at least one bitmask.
  - 15. The security system of claim 8, wherein the memory protection module further comprises at least one element selected from a group consisting essentially of main memory;
    - peripheral memory and flash memory.
  - 16. The security system of claim 15, wherein main memory further comprises at least one main memory partition selected from a group consisting essentially of a distributed mass storage system partition;
    - a distributed mass storage system externalized state partition;
      
      at least one video frame buffer partition;
      
      at least one partition; and
      
      at least one application digital signal processor partition.
  - 17. The security system of claim 15, wherein peripheral memory further comprises at least one peripheral memory partition selected from a group consisting essentially of a direct memory access controller secure peripheral partition;
    - a non-direct memory access controller secure peripheral partition;
      
      a general purpose input/output expansion interface shadow registers partition;
      
      at least one direct memory access controller shadow register partition; and
      
      at least one application digital signal processor partition.
  - 18. The security system of claim 17, wherein flash memory further comprises at least one partition selected from a group consisting essentially of a distributed mass storage system partition and a read-only third party operating system partition.
  - 19. The security system of claim 8, wherein the secure debug module further comprises at least one element selected from a group consisting essentially of modem supervisory mode controller private instructions;
    - a test interface controller;
      
      modem automated resource manager debug; and
      
      provision of hardware key fuses and security control fuses.
  - 20. The security system of claim 8, wherein the secure debug module further comprises at least one element selected from a group consisting essentially of an modem supervisory mode terminal access point controller;
    - a modem automated resource manager;
      
      a test interface controller multiplexer; and
      
      a joint test action group mode multiplexer.
  - 21. The security system of claim 20, wherein the modem automated resource manager further comprises a single input pin for controlling access to debug capabilities.
  - 22. The system of claim 20, wherein the joint test action group mode multiplexer further comprises access capabilities to the modem supervisory mode;
    - the modem automated resource manager;
      
      an application automated resource manager or a combination thereof.
  - 23. The security system of claim 8, wherein the secure file system module further comprises a hardware key.
  - 24. The security system of claim 23, wherein the hardware key is stored in on-chip, non-volatile memory.
  - 25. The security system of claim 8, wherein the secure file system module further comprises a cryptography engine block and a direct memory access controller block.
  - 26. The security system of claim 8, wherein the secure file system module further comprises a disabling fuse that, when blown, disables the programming functionality for hardware key fuses.
  - 27. The security system of claim 8, wherein the trusted time source module further comprises modules selected from a group consisting essentially of a module for keeping a local time reference while network time sources are unavailable;
    - a module for periodically saving and restoring time in external, non-volatile memory; and
      
      a module for synchronizing a local time with a source of network time.
  - 28. The security system of claim 27, wherein the module for keeping a local time reference further comprises a sleep controller circuit.
  - 29. The security system of claim 28, wherein the sleep control circuit further comprises a timer.
  - 30. The security system of claim 27, wherein the source of network time further comprises an element selected from a group consisting essentially of code division multiple access and global positioning satellite.
  - 31. The security system of claim 8, further comprising a security mode control module having at least one register selected from a group consisting essentially of a boot mode register;
    - a first debug register;
      
      a second debug register;
      
      a first hardware register; and
      
      a second hardware register.
  - 32. The security system of claim 31, wherein the first debug register further comprises a terminal access point control register.
  - 33. The security system of claim 31, wherein the second debug register further comprises a debug control register.
  - 34. The security system of claim 31, wherein the first hardware register further comprises a hardware key register.
  - 35. The security system of claim 31, wherein the second hardware register further comprises a secure debug enable chain register.

36. A security system for a communications device having a plurality of components including a debug module, a secure file system, and a layered memory scheme, the system comprising:
- at least one trust zone correlating to the layered memory scheme, the trust zone determining accessibility by trusted entities and non-trusted entities to the area of the component of the communications device;
  
  a security matrix model having a plurality of modules, each module in the plurality of modules securing at least one component in the plurality of components, the security matrix model having;
  
  a memory protection module for protecting memory;
  
  a secure debug module for ensuring security of the debug module;
  
  a secure file system module for protecting the secure file system; and
  
  a trusted time source module for protecting at least one component in the plurality of components; and
  
  a security mode control module.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43)
- - 37. The security system of claim 36, wherein the security system further comprises a trusted boot module.
  - 38. The security system of claim 37, wherein the trusted boot module further comprises at least one element selected from a group consisting essentially of boot read only memory;
    - memory protection of external, non-volatile memory area;
      
      a software-readable register;
      
      a pair of input pins for boot mode choice; and
      
      on-chip, non-volatile memory bit.
  - 39. The system of claim 37, wherein the security system further comprises at least one on-chip memory component.
  - 40. The security system of claim 39, wherein the at least on on-chip memory component further comprises at least one component selected from a group consisting essentially of boot read only memory;
    - boot random access memory; and
      
      secure scratch pad memory.
  - 41. The security system of claim 40, wherein the boot read only memory further comprises a modem automated resource manager primary boot loader.
  - 42. The security system of claim 40, wherein the boot random access manager further comprises application operating system trusted code for application automated resource manager warm boots.
  - 43. The security system of claim 40, wherein secure scratch pad memory further comprises utilization by a modem automated resource manager for security-related computations.

44. A mobile telephone having a plurality of components including a debug module, a secure file system, and a layered memory scheme, the mobile telephone comprising:
- at least one trust zone correlating to the layered memory scheme, the trust zone determining accessibility by trusted entities and non-trusted entities to the area of the component of the communications device;
  
  a security matrix model having a plurality of modules, each module in the plurality of modules securing at least one component in the plurality of components, the security matrix model having;
  
  a memory protection module for protecting memory;
  
  a secure debug module for ensuring security of the debug module;
  
  a secure file system module for protecting the secure file system; and
  
  a trusted time source module for protecting at least one component in the plurality of components; and
  
  a security mode control module.

45. A security method for a communications device having a plurality of components including a debug module, a secure file system, a secure boot mode, secure debug mode, and a layered memory scheme, the method comprising steps of:
- a step for correlating at least one trust zone to the layered memory scheme, the trust zone determining accessibility by trusted entities and non-trusted entities to the area of at least one component in the plurality of components of the communications device;
  
  a step for protecting memory via a memory protection module;
  
  a step for ensuring security of the debug module via a secure debug module;
  
  a step for protecting the secure file system via a secure file system module;
  
  a step for protecting at least one component in the plurality of components via a trusted time source module; and
  
  a step for aggregating logic and signals of the secure boot mode and secure debug mode security via a security mode control module.

46. A security method for a communications device having components including layered memory, a debug module, and a file system, the method comprising steps of:
- correlating at least one trust zone to a portion of layered memory;
  
  protecting memory via a memory protection module;
  
  ensuring the security of the debug module via a secure debug module;
  
  protecting the secure file system via a secure file system module;
  
  protecting the communications device via a trusted time source module; and
  
  aggregating logic and signals for secure boot mode and secure debug mode via a security mode control module.

48. A security system for a communications device having components including layered memory, a debug module, and a file system, the system comprising:
- means for correlating at least one trust zone to a portion of layered memory;
  
  means for protecting memory via a memory protection module;
  
  means for ensuring the security of the debug module via a secure debug module;
  
  means for protecting the secure file system via a secure file system module;
  
  means for protecting the communications device via a trusted time source module; and
  
  means for aggregating logic and signals for secure boot mode and secure debug mode via a security mode control module.
- View Dependent Claims (47, 49)
- - 47. The security method of claim 48, further comprising steps of:
    - securing a boot process via a trusted boot module; and
      
      protecting components via at least one on-chip memory.
  - 49. The security system of claim 48, further comprising:
    - means for securing a boot process via a trusted boot module; and
      
      means for protecting components via at least one on-chip memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Mauro, Anthony

Granted Patent

US 7,921,303 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/79 in semiconductor storage me...

G06F 2221/2105 Dual mode as a secondary as...

Mobile security system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Mobile security system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links