Secure Virtual Machine Manager

US 20100115291A1
Filed: 10/02/2009
Published: 05/06/2010
Est. Priority Date: 10/02/2008
Status: Active Grant

First Claim

Patent Images

1. A secure processing system comprising:

a host processor;

a virtual machine instantiated on the host processor; and

a virtual unified security hub (USH) instantiated on the virtual machine, wherein the virtual USH emulates a hardware-based USH and provides a plurality of security services to an application executing on the host processor.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure processing systems providing host-isolated security are provided. An exemplary secure processing system includes a host processor and a virtual machine instantiated on the host processor. A virtual unified security hub (USH) is instantiated on the virtual machine to provide security services to applications executing on the host processor. The virtual USH may further include an application programming interface (API) operable to expose the security services to the applications. A further exemplary secure processing system includes a host processor running a windows operating system for example, a low power host processor, and a USH processor configured to provide secure services to both the host processor and the low power host processor isolating the secure services from the host processor and the low power processor. The USH processor may also include an API to expose the security services to applications executing on the host processor and/or the low power host processor.

53 Citations

View as Search Results

69 Claims

1. A secure processing system comprising:
- a host processor;
  
  a virtual machine instantiated on the host processor; and
  
  a virtual unified security hub (USH) instantiated on the virtual machine, wherein the virtual USH emulates a hardware-based USH and provides a plurality of security services to an application executing on the host processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 2. The secure processing system of claim 1, wherein the secure processing system includes a USH processor coupled to the host processor.
  - 3. The secure processing system of claim 1, wherein the secure processing system includes a USH processor coupled to the host processor over a communications network.
  - 4. The secure processing system of claim 1, wherein the secure processing system includes a USH processor coupled to the host processor via a hardware token.
  - 5. The secure processing system of claim 1, further comprising:
    - a user input device coupled to the virtual USH, wherein input data entered by a user input device is received at the virtual USH directly from the user input device.
  - 6. The secure processing system of claim 5, wherein the virtual USH is configured to determine whether to release the input data to the host processor.
  - 7. The secure processing system of claim 5, wherein the virtual USH is configured to encrypt the input data prior to release to the host processor.
  - 8. The secure processing system of claim 4, wherein the user device is a keyboard.
  - 9. The secure processing system of claim 4, wherein the user device is a biometric authentication device.
  - 10. The secure processing system of claim 4, wherein the user device is a smart card containing user authentication data.
  - 11. The secure processing system of claim 1, further comprising:
    - secure storage.
  - 12. The secure processing system of claim 11, wherein the virtual USH obtains data from the secure storage and stores data to the secure storage.
  - 13. The secure processing system of claim 11, wherein the secure storage is a trusted platform module.
  - 14. The secure processing system of claim 11, wherein the secure storage is a hardware token.
  - 15. The secure processing system of claim 1, wherein the virtual machine includes an application programming interface (API) operable to expose a plurality of secure services provided by the virtual USH to the application.
  - 16. The secure processing system of claim 15, wherein the API is configured to provide to a plurality of applications a unified interface for enrolling a user credential in a credential container.
  - 17. The secure processing system of claim 1, further comprising:
    - a plurality of additional virtual machines instantiated on the host processor, wherein the virtual USH provides a common authentication engine for each of the additional virtual machines.
  - 18. The secure processing system of claim 16, wherein the plurality of applications includes a plurality of authentication applications.
  - 19. The secure processing system of claim 18, further including a plurality of authentication input devices coupled to the virtual USH, wherein each authentication input device is included in a separate integrated circuit chip coupled to the host processor.
  - 20. The secure processing system of claim 18, wherein an authentication input for the plurality of authentication applications is provided by a contactless smart card.
  - 21. The secure processing system of claim 18, wherein an authentication input for the plurality of authentication applications is provided by a contacted smart card.
  - 22. The secure processing system of claim 16, wherein an application in the plurality of applications is executing on a processor external to the secure processing system.
  - 23. The secure processing system of claim 16, wherein the credential container includes the user credential and an associated security policy.
  - 24. The secure processing system of claim 16, wherein the API is further configured to make a credential container including an enrolled credential for a user available to a plurality of applications executing on the host processor.
  - 25. The secure processing system of claim 16, wherein the user credential includes a biometric template.
  - 26. The secure processing system of claim 25, wherein the biometric template is a fingerprint template.
  - 27. The secure processing system of claim 16, wherein the user credential includes a human interface device identifier.
  - 28. The secure processing system of claim 15, wherein the API is configured to provide to a plurality of applications a unified interface for provisioning a user credential to a credential container.
  - 29. The secure processing system of claim 28, wherein an application in the plurality of applications is executing on a processor external to the secure processing system.
  - 30. The secure processing system of claim 28, wherein the credential container includes the user credential and an associated security policy.
  - 31. The secure processing system of claim 28, wherein the API is further configured to make a credential container including a provisioned credential for a user available to a plurality of applications executing on the host processor.
  - 32. The secure processing system of claim 16, wherein the user credential includes a biometric template.
  - 33. The secure processing system of claim 32, wherein the biometric template is a fingerprint template.
  - 34. The secure processing system of claim 1, wherein the plurality of security services includes data encryption.
  - 35. The secure processing system of claim 1, wherein the plurality of security services includes user authentication.
  - 36. The secure processing system of claim 35, wherein the plurality of security services includes fingerprint matching.
  - 37. The secure processing system of claim 1, wherein the plurality of security services includes antivirus application.

38. A secure processing system comprising:
- a host processor;
  
  a low power host processor coupled to the host processor; and
  
  a unified security hub (USH) processor coupled to the host processor and low power host processor, wherein the USH processor is configured to provide a plurality of security services to the host processor and low power host processor, whereby the plurality of security services are isolated from the host processor and the low power host processor.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
- - 39. The secure processing system of claim 38, wherein the USH processor includes an application programming interface (API) operable to expose a plurality of secure services provided by the USH processor to a plurality of application executing on the host processor.
  - 40. The secure processing system of claim 38, wherein the virtual machine includes an application programming interface (API) operable to expose a plurality of secure services provided by the USH processor to a plurality of application executing on the low power processor.
  - 41. The secure processing system of claim 38, wherein the USH processor includes an API configured to provide to a plurality of applications a unified interface for enrolling a user credential in a credential container.
  - 42. The secure processing system of claim 41, wherein the plurality of applications includes a plurality of authentication applications.
  - 43. The secure processing system of claim 38, further comprising:
    - a plurality of virtual machines instantiated on the host processor, wherein the USH processor provides a common authentication engine to each of the virtual machines.
  - 44. The secure processing system of claim 38, wherein the USH processor provides a common authentication engine for an application executing on the host processor and an application executing on the low power processor.
  - 45. The secure processing system of claim 42, wherein the plurality of authentication applications are each included in a separate integrated circuit chip coupled to the host processor.
  - 46. The secure processing system of claim 42, wherein an authentication application in the plurality of authentication applications is provided by a contactless smart card.
  - 47. The secure processing system of claim 42, wherein an authentication application in the plurality of authentication applications is provided by a contacted smart card.
  - 48. The secure processing system of claim 41, wherein an application in the plurality of applications is executing on a processor external to the secure processing system.
  - 49. The secure processing system of claim 41, wherein the credential container includes the user credential and an associated security policy.
  - 50. The secure processing system of claim 41, wherein the API is further configured to make a credential container including an enrolled credential for a user available to a plurality of applications executing on the host processor.
  - 51. The secure processing system of claim 41, wherein the user credential includes a biometric template.
  - 52. The secure processing system of claim 51, wherein the biometric template is a fingerprint template.
  - 53. The secure processing system of claim 41, wherein the user credential includes a human interface device identifier.
  - 54. The secure processing system of claim 38, wherein the USH processor includes an API configured to provide to a plurality of applications a unified interface for provisioning a user credential to a credential container.
  - 55. The secure processing system of claim 54, wherein an application in the plurality of applications is executing on a processor external to the secure processing system.
  - 56. The secure processing system of claim 54, wherein the credential container includes the user credential and an associated security policy.
  - 57. The secure processing system of claim 54, wherein the API is further configured to make a credential container including a provisioned credential for a user available to a plurality of applications executing on the host processor.
  - 58. The secure processing system of claim 49, wherein the user credential includes a biometric template.
  - 59. The secure processing system of claim 58, wherein the biometric template is a fingerprint template.
  - 60. The secure processing system of claim 38, wherein the plurality of security services includes data encryption.
  - 61. The secure processing system of claim 38, wherein the plurality of security services includes user authentication.
  - 62. The secure processing system of claim 38, wherein the plurality of security services includes fingerprint matching.
  - 63. The secure processing system of claim 38, wherein the plurality of security services includes antivirus application.
  - 64. The secure processing system of claim 38, further comprising:
    - a user input device coupled to the USH processor, wherein input data entered by a user input device is received at the virtual USH directly from the user input device.
  - 65. The secure processing system of claim 64, wherein the USH processor is configured to determine whether to release the input data to the host processor.
  - 66. The secure processing system of claim 64, wherein the USH processor is configured to encrypt the input data prior to release to the host processor.
  - 67. The secure processing system of claim 64, wherein the user device is a keyboard.
  - 68. The secure processing system of claim 64, wherein the user device is a biometric authentication device.
  - 69. The secure processing system of claim 64, wherein the user device is a smart card containing user authentication data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
BUER, Mark

Granted Patent

US 8,996,885 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/192
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 21/72   in cryptographic circuits

Secure Virtual Machine Manager

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

69 Claims

Specification

Use Cases

Quick Links

Others

Secure Virtual Machine Manager

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

69 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others