SECURE HOSTED EXECUTION ARCHITECTURE

US 20130007470A1
Filed: 06/30/2011
Published: 01/03/2013
Est. Priority Date: 06/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method for executing applications, comprising:

accessing a secure storage element via a host device comprising a computer processor;

executing, by the computer processor, a hosted execution runtime environment (HERE) on the host device;

identifying a persistent memory image of the HERE within the secure storage element;

executing, by the computer processor, an application using the HERE; and

applying, based on executing the application, a first plurality of changes to the persistent memory image.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, in one aspect, the invention relates to a method for executing applications. The method includes accessing a secure storage element via a host device including a computer processor; executing, by the computer processor, a hosted execution runtime environment (HERE) on the host device; identifying a persistent memory image of the HERE within the secure storage element; executing, by the computer processor, an application using the HERE; and applying, based on executing the application, a first set of changes to the persistent memory image.

14 Citations

View as Search Results

20 Claims

1. A method for executing applications, comprising:
- accessing a secure storage element via a host device comprising a computer processor;
  
  executing, by the computer processor, a hosted execution runtime environment (HERE) on the host device;
  
  identifying a persistent memory image of the HERE within the secure storage element;
  
  executing, by the computer processor, an application using the HERE; and
  
  applying, based on executing the application, a first plurality of changes to the persistent memory image.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - executing a secure element runtime environment (SERE) residing in the secure storage element; and
      
      initiating a secure communication session between the HERE and the SERE, wherein executing the application is further performed by the SERE, and wherein applying the first plurality of changes to the persistent memory image is performed by the SERE.
  - 3. The method of claim 2, further comprising:
    - obtaining, by the HERE and over the secure communication session, the persistent memory image from the secure storage element; and
      
      creating a cache of the persistent memory image in the host device prior to executing the application, wherein the first plurality of changes are made to the cache during execution of the application.
  - 4. The method of claim 3, wherein applying the first plurality of changes to the persistent memory image comprises:
    - maintaining a change log corresponding to the cache;
      
      storing, during execution of the application, the first plurality of changes to the cache in the change log;
      
      transmitting, over the secure communication session and after executing the application, the change log to the SERE; and
      
      applying, by the SERE, the first plurality of changes to the persistent memory image.
  - 5. The method of claim 3, further comprising:
    - re-executing the application after applying the first plurality of changes to the persistent memory image;
      
      storing, while re-executing the application, a second plurality of changes to the cache in a session change log residing in the secure storage element, wherein the second plurality of changes is stored as a series of idempotent entries in the session change log;
      
      creating a copy of the persistent memory image in the secure storage element;
      
      initiating a process to apply the second plurality of changes to the copy of the persistent memory image;
      
      detecting an interruption of the process; and
      
      reapplying, in response to detecting the interruption, the second plurality of changes to the copy of the persistent memory image.
  - 6. The method of claim 3, further comprising:
    - re-executing the application after applying the first plurality of changes to the persistent memory image;
      
      storing, while re-executing the application, a second plurality of changes to the cache in a session change log residing in the secure storage element;
      
      creating a copy of a plurality of pages of the persistent memory image in the secure storage element;
      
      applying the second plurality of changes to the copy of the plurality of pages; and
      
      deleting, after applying the second plurality of changes, the session change log and the copy of the plurality of pages.
  - 7. The method of claim 2, wherein executing the application further comprises:
    - identifying a security sensitive section of the application;
      
      computing a check value for the security sensitive section;
      
      generating a comparison of the check value with a registered check value stored in the secure storage element, wherein the check value and the registered check value are equal;
      
      validating, by the SERE, the security sensitive section based on the comparison; and
      
      executing the security sensitive section after validating the security sensitive section.
  - 8. The method of claim 6, wherein the security sensitive section comprises a cryptographic computation.
  - 9. The method of claim 1, further comprising:
    - designating a section of the persistent memory image for the application, wherein the first plurality of changes are applied to the designated section.
  - 10. The method of claim 1, wherein the first plurality of changes comprises a single item atomic change to a persistent object, and wherein the first plurality of changes are stored in a session change log residing in the secure storage element.
  - 11. The method of claim 1, wherein accessing the secure storage element comprises:
    - obtaining, from a user of the host device, a security credential; and
      
      authenticating the user based on the security credential.

12. A system for executing applications, comprising:
- a host device comprising a computer processor;
  
  a secure storage element operatively connected to the host device and configured to authenticate a user of the host device for access to the secure storage element; and
  
  a hosted execution runtime environment (HERE) executing on the computer processor and configured to;
  
  identify a persistent memory image of the HERE within the secure storage element; and
  
  execute an application, wherein a first plurality of changes are applied to the persistent memory image of the HERE based on executing the application.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, further comprising:
    - a secure element runtime environment (SERE) residing in the secure storage element and executing on the computer processor, wherein the application is executed using the SERE, and wherein applying the first plurality of changes to the persistent memory image is performed by the SERE,wherein the HERE is further configured to;
      
      initiate, after authenticating the user, a secure communication session between the HERE and the SERE.
  - 14. The system of claim 13, wherein the HERE is further configured to:
    - obtain, over the secure communication session, the persistent memory image from the secure storage element; and
      
      create a cache of the persistent memory image in the host device prior to executing the application, wherein the first plurality of changes is made to the cache during execution of the application.
  - 15. The system of claim 13, wherein the HERE is further configured to:
    - maintain a change log corresponding to the cache;
      
      store, during execution of the application, the first plurality of changes to the cache in the change log; and
      
      transmit, over the secure communication session and after executing the application, the change log to the SERE, wherein the first plurality of changes is applied to the persistent memory image by the SERE.
  - 16. The system of claim 13, wherein the HERE is further configured to re-execute the application, and wherein the SERE is further configured to:
    - store, while the application is re-executed, a second plurality of changes to the cache in a session change log residing in the secure storage element;
      
      create a copy of the persistent memory image in the secure storage element;
      
      initiate a process to apply the second plurality of changes to the copy of the persistent memory image;
      
      detect an interruption of the process; and
      
      delete, in response to detecting the interruption, the copy of the persistent memory image.
  - 17. The system of claim 13, wherein the HERE is further configured to re-execute the application, and wherein the SERE is further configured to:
    - store, while the application is re-executed, a second plurality of changes to the cache in a session change log residing in the secure storage element;
      
      create a copy of the persistent memory image in the secure storage element;
      
      apply the second plurality of changes to the copy of the persistent memory image; and
      
      delete, after the second plurality of changes are applied to the copy of the persistent memory image, the session change log and the copy of the persistent memory image.
  - 18. The system of claim 13, wherein executing the application further comprises:
    - identifying a security sensitive section of the application;
      
      computing a check value for the security sensitive section;
      
      generating a comparison of the check value with a registered check value stored in the secure storage element, wherein the check value and the registered check value are equal;
      
      validating, by the SERE, the security sensitive section based on the comparison; and
      
      executing the security sensitive section after validating the security sensitive section.

19. A non-transitory computer-readable storage medium storing a plurality of instructions for executing applications, the plurality of instructions comprising functionality to:
- access a secure storage element via a host device;
  
  execute a hosted execution runtime environment (HERE) on the host device;
  
  identify a persistent memory image of the HERE within the secure storage element;
  
  execute an application using the HERE; and
  
  apply, based on executing the application, a first plurality of changes to the persistent memory image.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable storage medium of claim 19, wherein the plurality of instructions further comprise functionality to:
    - execute a secure element runtime environment (SERE) residing in the secure storage element; and
      
      initiate a secure communication session between the HERE and the SERE, wherein executing the application is further performed by the SERE, and wherein applying the first plurality of changes to the persistent memory image is performed by the SERE.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Ravishankar, Tanjore S., Violleau, Thierry P.

Granted Patent

US 8,543,841 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 2221/2147   Locking files

G06F 2221/2153   Using hardware token as a s...

SECURE HOSTED EXECUTION ARCHITECTURE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE HOSTED EXECUTION ARCHITECTURE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links