SECURE APPLICATION ATTESTATION USING DYNAMIC MEASUREMENT KERNELS

US 20120166795A1
Filed: 12/24/2010
Published: 06/28/2012
Est. Priority Date: 12/24/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an attestation request at an application;

loading an attestation kernel into a storage unit in response to the attestation request;

executing one or more operations, corresponding to the attestation request and in accordance with data stored in the storage unit, to generate a manifest;

generating an attestation of data stored in the storage unit;

verifying a state of the application based on the generated attestation of the data stored in the storage unit and the manifest;

generating a statement of application measurement based on a hash of the manifest; and

transmitting the application measurement and the attestation data to the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus to provide secure application attestation using dynamic measurement kernels are described. In some embodiments, secure application attestation is provided by using dynamic measurement kernels. In various embodiments, P-MAPS (Processor-Measured Application Protection Service), Secure Enclaves (SE), and/or combinations thereof may be used to provide dynamic measurement kernels to support secure application attestation. Other embodiments are also described.

137 Citations

30 Claims

1. A method comprising:
- receiving an attestation request at an application;
  
  loading an attestation kernel into a storage unit in response to the attestation request;
  
  executing one or more operations, corresponding to the attestation request and in accordance with data stored in the storage unit, to generate a manifest;
  
  generating an attestation of data stored in the storage unit;
  
  verifying a state of the application based on the generated attestation of the data stored in the storage unit and the manifest;
  
  generating a statement of application measurement based on a hash of the manifest; and
  
  transmitting the application measurement and the attestation data to the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the storage unit is one of an attestation enclave or an attestation container.
  - 3. The method of claim 1, wherein verifying the state of the application is to comprise scanning memory associated with the application.
  - 4. The method of claim 1, further comprising a virtual machine monitor checking the attestation of the data stored in the storage unit and issuing a measurement of the data stored in the storage unit, wherein the transmitting is to transmit the measurement of the data stored in the storage unit.
  - 5. The method of claim 1, further comprising a virtual machine monitor checking the attestation of the data stored in the storage unit and issuing a measurement of the data stored in the storage unit, wherein the transmitting is to transmit the measurement of the data stored in the storage unit and a quote generated by a trusted hardware entity.
  - 6. The method of claim 1, wherein verifying the state of the application is to comprise scanning memory associated with the application and wherein code within the storage unit is allowed to access memory outside of the storage unit, while code outside of the storage unit is prevented from accessing the data stored in the storage unit.
  - 7. The method of claim 1, wherein executing the one or more operations is to be performed based on the attestation kernel.
  - 8. The method of claim 1, wherein the manifest is comprise a random challenge nonce.
  - 9. The method of claim 1, wherein the manifest is to be signed by a trusted entity.
  - 10. The method of claim 1, further comprising cryptographically signing the attestation of the data stored in the storage unit.
  - 11. The method of claim 1, further comprising transmitting the manifest, the application measurement, and the attestation data to a third party.

12. A computer-readable medium comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations to:
- receive an attestation request at an application;
  
  load an attestation kernel into a storage unit in response to the attestation request;
  
  execute one or more operations, corresponding to the attestation request and in accordance with data stored in the storage unit, to generate a manifest;
  
  generate an attestation of data stored in the storage unit;
  
  verify a state of the application based on the generated attestation of the data stored in the storage unit and the manifest;
  
  generate a statement of application measurement based on a hash of the manifest; and
  
  transmit the application measurement and the attestation data to the application.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The computer-readable medium of claim 12, further comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations to scan memory associated with the application.
  - 14. The computer-readable medium of claim 12, further comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations to check, by a virtual machine monitor, the attestation of the data stored in the storage unit and to issue a measurement of the data stored in the storage unit.
  - 15. The computer-readable medium of claim 12, further comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations to check, by a virtual machine monitor, the attestation of the data stored in the storage unit and to issue a measurement of the data stored in the storage unit.
  - 16. The computer-readable medium of claim 12, further comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations to scan memory associated with the application and wherein code within the storage unit is allowed to access memory outside of the storage unit, while code outside of the storage unit is prevented from accessing the data stored in the storage unit.
  - 17. The computer-readable medium of claim 12, wherein the storage unit is one of an attestation enclave or an attestation container.
  - 18. The computer-readable medium of claim 12, wherein the manifest is comprise a random challenge nonce.
  - 19. The computer-readable medium of claim 12, further comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations to cryptographically sign the attestation of the data stored in the storage unit.
  - 20. The computer-readable medium of claim 12, further comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations to transmit the manifest, the application measurement, and the attestation data to a third party.

21. A system comprising:
- a memory to store one or more instructions corresponding to a container; and
  
  a processor to execute the one or more instructions to;
  
  receive an attestation request at an application;
  
  load an attestation kernel into a storage unit in response to the attestation request;
  
  execute one or more operations, corresponding to the attestation request and in accordance with data stored in the storage unit, to generate a manifest;
  
  generate an attestation of data stored in the storage unit;
  
  verify a state of the application based on the generated attestation of the data stored in the storage unit and the manifest;
  
  generate a statement of application measurement based on a hash of the manifest; and
  
  transmit the application measurement and the attestation data to the application.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, wherein the storage unit is one of an attestation enclave or an attestation container.
  - 23. The system of claim 21, further comprising a virtual machine monitor to check the attestation of the data stored in the storage unit and issue a measurement of the data stored in the storage unit.
  - 24. The system of claim 21, further comprising a trusted entity to sign the manifest.
  - 25. The system of claim 24, wherein the trusted entity is a trusted platform module.
  - 26. The system of claim 21, further comprising logic to cryptographically sign the attestation of the data stored in the storage unit.
  - 27. The system of claim 21, further comprising logic to transmit the manifest, the application measurement, and the attestation data to a third party.
  - 28. The system of claim 21, wherein the manifest is comprise a random challenge nonce.
  - 29. The system of claim 21, further comprising a virtual machine monitor to check the attestation of the data stored in the storage unit and issue a measurement of the data stored in the storage unit
  - 30. The system of claim 29, further comprising logic to transmit the measurement of the data stored in the storage unit and a quote generated by a trusted hardware entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Wood, Matthew D., Saint-Hilaire, Ylian

Granted Patent

US 9,087,196 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

SECURE APPLICATION ATTESTATION USING DYNAMIC MEASUREMENT KERNELS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

137 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE APPLICATION ATTESTATION USING DYNAMIC MEASUREMENT KERNELS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

137 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links