AUTOMATIC HARDWARE-BASED RECOVERY OF A COMPROMISED COMPUTER

US 20100070800A1
Filed: 03/09/2009
Published: 03/18/2010
Est. Priority Date: 09/15/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

calculating, with an auxiliary circuit within a computing device, an integrity verification value for a boot component of the computing device, wherein the boot component comprises program instructions required for execution by a processor of the computing device to place the computing device into an operating mode;

determining whether the calculated integrity verification value is associated with an acceptable boot component; and

replacing, with the auxiliary circuit of the computing device, the boot component with a copy of a trusted version of the boot component when the integrity verification value is not associated with an acceptable boot component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, techniques are described for hardware-based detection and automatic restoration of a computing device from a compromised state. Moreover, the techniques provide for automatic, hardware-based restoration of selective software components from a trusted repository. The hardware-based detection and automatic restoration techniques may be integrated within a boot sequence of a computing device so as to efficiently and cleanly replace only any infected software component.

66 Citations

View as Search Results

33 Claims

1. A method comprising:
- calculating, with an auxiliary circuit within a computing device, an integrity verification value for a boot component of the computing device, wherein the boot component comprises program instructions required for execution by a processor of the computing device to place the computing device into an operating mode;
  
  determining whether the calculated integrity verification value is associated with an acceptable boot component; and
  
  replacing, with the auxiliary circuit of the computing device, the boot component with a copy of a trusted version of the boot component when the integrity verification value is not associated with an acceptable boot component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising after replacing the boot component, outputting a signal with the auxiliary circuit to direct the processor of the computing device to execute the copy of the trusted version of the boot component.
  - 3. The method of claim 2, wherein the boot component is one of a plurality of boot components in a boot sequence of the computing device, the method further comprising:
    - after replacing the boot component, executing the copy of the trusted version of the boot component with the processor;
      
      after executing the copy of the trusted version of the boot component, determining, with the processor, whether at least one additional boot component remains in the boot sequence of the computing device; and
      
      outputting a signal with the processor to the auxiliary circuit to request that the auxiliary circuit calculate an integrity verification value for the additional boot component.
  - 4. The method of claim 3,wherein executing the copy of the trusted version of the boot component comprises executing only the copy of the trusted version of the boot component without re-executing any of the plurality of boot components the precede the boot component in the boot sequence.
  - 5. The method of claim 3,further comprising sequentially verifying each of the boot components in the boot sequence and selectively replacing only the boot components that are unacceptable with trusted copies.
  - 6. The method of claim 4, further comprising:
    - sequentially verifying each of the boot components in the boot sequence and selectively replacing only the boot components that are unacceptable by;
      
      (a) selecting, with the processor, a next one of the boot components in the boot sequence that has not been executed by the processor since a power-up of the computing device;
      
      (b) calculating, with the auxiliary circuit, an integrity value for the next one of the boot components,(c) determining whether the calculated integrity verification value is associated with an acceptable boot component,(d) replacing, with the auxiliary circuit of the computing device, the next one of the boot components with a copy of a trusted version of the next one of the boot components when the integrity verification value is not associated with an acceptable boot component,(e) without re-executing any of the boot components in the boot sequence that precede the next one of the boot components, executing the copy of the trusted version of the next one of the boot components the processor of the computing device,(f) determining whether at least one boot component remains in the boot sequence, and(g) when additional boot components remain in the boot sequence, repeating the steps (a)-(f) for each remaining boot component in the sequence.
  - 7. The method of claim 1, further comprising receiving, with the computing device, a message from a quality control server indicating that one or more boot components are infected or corrupt.
  - 8. The method of claim 1, further comprising outputting, with the auxiliary circuit, a reset signal to the computing device after replacing the boot component with a copy of a trusted version of the boot component.
  - 9. The method of claim 1, wherein determining whether the calculated integrity verification value is associated with an acceptable boot component comprises comparing the calculated integrity verification value with a list of stored values, wherein each stored value corresponds to an acceptable boot component.
  - 10. The method of claim 1, wherein replacing the boot component with a copy of a trusted version of the boot component comprises:
    - with the auxiliary circuit, reading the copy of the trusted version of the boot component from a trusted storage medium on the device; and
      
      overwriting the boot component in a primary storage of the computing device with the copy of the trusted version of the boot component.
  - 11. The method of claim 10, wherein the trusted storage medium is inaccessible by the processor.
  - 12. The method of claim 1, wherein replacing the boot component with a copy of a trusted version of the boot component comprises:
    - with the auxiliary circuit, requesting a copy of a trusted version of the boot component from a trusted boot component server, wherein the trusted boot component server is a network device that stores trusted versions of boot components for the computing device;
      
      receiving the copy of a trusted version of the boot component from the trusted boot component server;
      
      overwriting the boot component in primary storage with the copy of a trusted version of the boot component.
  - 13. The method of claim 1, wherein the auxiliary circuit is a modified trusted platform hardware module, and wherein the integrity verification value is a digital signature.
  - 14. The method of claim 1, further comprising after determining that the integrity verification value is not associated with an acceptable boot component, and prior to replacing the boot component with a copy of a trusted version of the boot component, providing an indication to a user that the integrity verification value is not associated with an acceptable boot component.
  - 15. The method of claim 14, wherein the indication is one of a message on a display, an indicator light, a chime or beep, a voice message, or an e-mail.
  - 16. The method of claim 14, further comprising receiving, with the auxiliary circuit, an input from the user directing the auxiliary circuit to replace the boot component with a copy of a trusted version of the boot component.

17. A computing device containing an auxiliary circuit that comprises:
- an integrity verification value calculator circuit configured to calculate an integrity verification value for a boot component of the computing device, wherein the boot component comprises program instructions required for execution by a processor of the computing device to place the computing device into an operating mode;
  
  an infection detection circuit configured to determine whether the integrity verification value is associated with an acceptable boot component; and
  
  a recovery circuit configured to replace the boot component with a copy of a trusted version of the boot component when the integrity verification value is not associated with an acceptable boot component.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 18. The computing device of claim 17, wherein the recovery circuit is configured to output a signal to direct the processor of the computing device to execute the copy of the trusted version of the boot component after it replaces the boot component.
  - 19. The computing device of claim 18,wherein the boot component is one of a plurality of boot components in a boot sequence,wherein, after executing the copy of the trusted version of the boot component, the processor determines whether at least one additional boot component remains in the boot sequence of the computing device and outputs a signal to the auxiliary circuit to request that the auxiliary circuit calculate an integrity verification value for the additional boot component.
  - 20. The computing device of claim 19, wherein the processor of the computing device, in response to receiving the signal from the auxiliary circuit, is configured to execute only the copy of the trusted version of the boot component without re-executing any of the boot components that precede the boot component in the boot sequence.
  - 21. The computing device of claim 19,wherein the processor is configured to output signals to direct the auxiliary circuit to sequentially verify any unexecuted boot components in the boot sequence and selectively replace only the boot components that are unacceptable with trusted copies.
  - 22. The computing device of claim 17, wherein the auxiliary circuit further comprises a communication circuit configured to receive a message from a quality control server indicating that one or more boot components stored on the computing device are infected or corrupt.
  - 23. The computing device of claim 17, wherein the recovery circuit is configured to output a reset signal to the computing device after replacing the boot component with the copy of the trusted version of the boot component.
  - 24. The computing device of claim 17, wherein the infection detection circuit is configured to determine whether the calculated integrity verification value is associated with an acceptable boot component by comparing the calculated integrity verification value with a set of stored values, wherein each stored value corresponds to an acceptable boot component.
  - 25. The computing device of claim 17, further comprisinga primary storage that stores the boot component;
    - a trusted storage medium that stores the trusted version of the boot component;
      
      wherein, to replace the boot component with a copy of a trusted version of the boot component, the recovery circuit is configured to read the copy of the trusted version of the boot component from the trusted storage medium and to overwrite the boot component in the primary storage with the copy of the trusted version of the boot component.
  - 26. The computing device of claim 25, wherein the trusted storage medium is inaccessible by the processor.
  - 27. The computing device of claim 17,wherein the auxiliary circuit further comprises a communication circuit configured to request and receive the copy of the trusted version of the boot component from a trusted boot component server, wherein the trusted boot component server is a network device that stores trusted versions of boot components for the device,wherein the recovery circuit is configured to replace the boot component with a copy of a trusted version of the boot component by overwriting, with the copy of a trusted version of the boot component received by the communication circuit, the boot component in primary storage.
  - 28. The computing device of claim 17, wherein the auxiliary circuit is a modified trusted platform module, and wherein the integrity verification value is a digital signature.
  - 29. The computing device of claim 17, wherein, after the infection detection circuit determines that the integrity verification value is not associated with an acceptable boot component, and before the recovery circuit replaces the boot component with a copy of a trusted version of the boot component, the auxiliary circuit provides an indication to a user that the integrity verification value is not associated with an acceptable boot component.
  - 30. The computing device of claim 29, wherein the indication is one of a message on a display, an indicator light, a chime or beep, a voice message, or an e-mail.
  - 31. The computing device of claim 29, wherein the auxiliary circuit receives input from the user directing the auxiliary circuit to replace the boot component with a copy of a trusted version of the boot component.

32. A system comprising:
- a computing device;
  
  a trusted boot component server that stores trusted versions of boot components for the computing device,wherein the computing device contains an auxiliary circuit comprising;
  
  an integrity verification value calculator circuit that calculates an integrity verification value for a boot component of the computing device, wherein the boot component comprises program instructions required for execution by a processor of the computing device to place the computing device into an operating mode;
  
  an infection detection circuit that determines whether the integrity verification value is associated with an acceptable boot component; and
  
  a recovery circuit that replaces the boot component with a copy of a trusted version of the boot component received from the trusted boot component server when the integrity verification value is not associated with an acceptable boot component.
- View Dependent Claims (33)
- - 33. The system of claim 32, further comprising:
    - a quality control server that monitors communication and activity information of the computing device and sends a message to the computing device when the communication and activity information indicates that the computing device is compromised.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Hanna, Stephen R.

Granted Patent

US 8,103,909 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/6
CPC Class Codes

G06F 21/575 Secure boot

AUTOMATIC HARDWARE-BASED RECOVERY OF A COMPROMISED COMPUTER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

66 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

AUTOMATIC HARDWARE-BASED RECOVERY OF A COMPROMISED COMPUTER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others