METHOD AND APPARATUS FOR SECURE SCAN OF DATA STORAGE DEVICE FROM REMOTE SERVER

US 20110289306A1
Filed: 05/21/2010
Published: 11/24/2011
Est. Priority Date: 05/21/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a block read request from a remote server driver using an out-of-band (OOB) agent executing on a computing device, the OOB agent being capable of communicating with the remote server driver irrespective of the state of an operating system of the computing device;

sending a storage command to a data storage device using a host driver of the computing device, in response to receiving the block read request;

receiving data retrieved from the data storage device and authentication metadata generated by the data storage device, in response to the storage command; and

verifying the data, with the OOB agent or the remote server driver, using the authentication metadata.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for providing a secure scan of a data storage device from a remote server are disclosed. In some embodiments, a computing device may include an in-band processor configured to execute an operating system and at least one host driver, communication circuitry configured to communicate with a remote server, and an out-of-band (OOB) processor capable of communicating with the remote server using the communication circuitry irrespective of the state of the operating system. The OOB processor may be configured to receive a block read request from the remote server, instruct the at least one host driver to send a storage command to a data storage device, receive data retrieved from the data storage device and authentication metadata generated by the data storage device, and transmit the data and the authentication metadata to the remote server.

Citations

25 Claims

1. A method comprising:
- receiving a block read request from a remote server driver using an out-of-band (OOB) agent executing on a computing device, the OOB agent being capable of communicating with the remote server driver irrespective of the state of an operating system of the computing device;
  
  sending a storage command to a data storage device using a host driver of the computing device, in response to receiving the block read request;
  
  receiving data retrieved from the data storage device and authentication metadata generated by the data storage device, in response to the storage command; and
  
  verifying the data, with the OOB agent or the remote server driver, using the authentication metadata.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein receiving the block read request from the remote server using the OOB agent comprises receiving the block read request using a firmware module executing on an OOB processor of the computing device.
  - 3. The method of claim 1, wherein receiving the block read request from the remote server driver using the OOB agent comprises receiving the block read request while the operating system of the computing device is not executing.
  - 4. The method of claim 3, wherein sending the storage command to the data storage device comprises generating the storage command using a basic input/output system (BIOS) driver of the computing device.
  - 5. The method of claim 1, wherein sending the storage command to the data storage device comprises sending the storage command using an advanced host controller interface (AHCI) driver of the computing device.
  - 6. The method of claim 1, wherein receiving authentication metadata generated by the data storage device comprises receiving an output of a keyed hash function applied to the data retrieved from the data storage device.
  - 7. The method of claim 6, wherein verifying the data, with the OOB agent or the remote server driver, using the authentication metadata comprises reapplying the keyed hash function to the data and comparing the output of the keyed hash function to the authentication metadata.
  - 8. The method of claim 7, wherein receiving authentication metadata generated by the data storage device further comprises receiving a counter value that indicates a time the data was retrieved from the data storage device.
  - 9. The method of claim 8, wherein verifying the data, with the OOB agent or the remote server driver, using the authentication metadata further comprises comparing the counter value to an expected time.
  - 10. The method of claim 1, wherein receiving authentication metadata generated by the data storage device comprises receiving a digital signature based upon the data retrieved from the data storage device and a private key.
  - 11. The method of claim 10, wherein verifying the data, with the OOB agent or the remote server driver, using the authentication metadata comprises verifying the digital signature using a public key corresponding to the private key.
  - 12. The method of claim 1, further comprising transmitting the data and the authentication metadata to the remote server driver using the OOB agent, wherein the remote server driver verifies the data using the authentication metadata.
  - 13. The method of claim 1, further comprising transmitting the data to the remote server driver using the OOB agent, wherein the OOB agent verifies the data using the authentication metadata prior to transmitting the data.

14. One or more tangible, machine-readable media comprising a plurality of instructions that, in response to being executed, result in a computing device:
- receiving a block read request from a remote server using an out-of-band (OOB) processor of the computing device, the OOB processor being capable of communicating with the remote server irrespective of whether an in-band processor of the computing device is executing an operating system;
  
  sending a storage command to a data storage device using the in-band processor of the computing device, in response to receiving the block read request;
  
  receiving data retrieved from the data storage device and authentication metadata generated by the data storage device, in response to the storage command; and
  
  transmitting the data and the authentication metadata to the remote server using the OOB processor.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The one or more tangible, machine-readable media of claim 14, wherein receiving the block read request from the remote server using the OOB processor comprises receiving the block read request while the in-band processor is not executing the operating system.
  - 16. The one or more tangible, machine-readable media of claim 14, wherein receiving authentication metadata generated by the data storage device comprises receiving a message authentication code generated using the data retrieved from the data storage device.
  - 17. The one or more tangible, machine-readable media of claim 16, wherein receiving authentication metadata generated by the data storage device further comprises receiving a counter value that indicates a time the data was retrieved from the data storage device.
  - 18. The one or more tangible, machine-readable media of claim 14, wherein receiving authentication metadata generated by the data storage device comprises receiving a digital signature generated using the data retrieved from the data storage device.
  - 19. The one or more tangible, machine-readable media of claim 14, wherein the plurality of instructions, in response to being executed, further result in the OOB processor of the computing device verifying the data using the authentication metadata prior to transmitting the data and the authentication metadata to the remote server.

20. A computing device comprising:
- an in-band processor configured to execute an operating system and at least one host driver;
  
  communication circuitry configured to communicate with a remote server; and
  
  an out-of-band (OOB) processor capable of communicating with the remote server using the communication circuitry irrespective of the state of the operating system, the OOB processor configured to;
  
  receive a block read request from the remote server;
  
  instruct the at least one host driver to send a storage command to a data storage device;
  
  receive data retrieved from the data storage device and authentication metadata generated by the data storage device; and
  
  transmit the data and the authentication metadata to the remote server.
- View Dependent Claims (21, 22, 23)
- - 21. The computing device of claim 20, wherein the at least one host driver is a basic input/output system (BIOS) driver executed by the in-band processor before executing the operating system.
  - 22. The computing device of claim 20, wherein the at least one host driver is an advanced host controller interface (AHCI) driver executed by the in-band processor while executing the operating system.
  - 23. The computing device of claim 20, wherein the OOB processor is further configured to verify the data using the authentication metadata prior to transmitting the data and the authentication metadata to the remote server.

24. A computing device comprising:
- an in-band processor configured to execute an operating system and at least one driver, the in band processor executing the driver in a secure container that is separate from the operating system;
  
  communication circuitry configured to communicate with a remote server; and
  
  an out-of-band (OOB) processor capable of communicating with the remote server using the communication circuitry irrespective of the state of the operating system, the OOB processor configured to;
  
  receive a block read request from the remote server;
  
  instruct the at least one driver executing in the secure container to send a storage command to a data storage device;
  
  receive data retrieved from the data storage device via the at least one driver executing in the secure container; and
  
  transmit the data to the remote server.
- View Dependent Claims (25)
- - 25. The computing device of claim 24, wherein the operating system is configured to retrieve data from the data storage device by instructing, via one or more firmware hooks, the at least one driver executing in the secure container to send a storage command to the data storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Edwards, David A., Khosravi, Hormuzd M., Gokulrangan, Venkat R., Rasheed, Yasser

Granted Patent

US 8,856,534 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

G06F 21/567   using dedicated hardware

G06F 21/606   by securing the transmissio...

G06F 21/64   Protecting data integrity, ...

G06F 21/85   interconnection devices, e....

G06F 2213/0038   System on Chip

METHOD AND APPARATUS FOR SECURE SCAN OF DATA STORAGE DEVICE FROM REMOTE SERVER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR SECURE SCAN OF DATA STORAGE DEVICE FROM REMOTE SERVER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links