SECURE COMMUNICATION USING A TRUSTED VIRTUAL MACHINE
First Claim
1. A client computer system comprising at least a processor configured to operate:
- an untrusted virtual machine including a set of drivers for controlling a first set of hardware devices of the client computer system, the first set of hardware devices comprising a network interface, the set of drivers including a network interface driver for the network interface; and
a hypervisor configured to control a second set of hardware devices of the client computer system, the second set comprising a shared device selected from a group consisting of an output device and an input device, wherein the hypervisor is further configured to;
in response to the untrusted virtual machine receiving a user request to connect to a remote server system, launch a trusted virtual machine distinct from the untrusted virtual machine, wherein launching the trusted virtual machine comprises;
employing the hypervisor to determine the authenticity of an image of the trusted virtual machine; and
when the image of the trusted virtual machine is authentic, employing the hypervisor to load the image into a memory of the client computer system;
in response to launching the trusted virtual machine, receive a data unit from the trusted virtual machine, wherein the data unit is encrypted by the trusted virtual machine; and
send the data unit to the network interface driver of the untrusted virtual machine for transmission to the remote server system through the network interface;
and wherein the hypervisor is further configured to employ time-division multiplexing to alternate granting exclusive use of the shared device to the trusted virtual machine with granting exclusive use of the shared device to the untrusted virtual machine.
2 Assignments
0 Petitions
Accused Products
Abstract
A client system, such as a computer or a smartphone, securely exchanges sensitive information with a remote service provider computer system such as a bank or an online retailer. The client system executes a commercially available operating system in an untrusted virtual machine (VM), which may be affected by malware. A hypervisor is configured to launch a trusted, malware-free VM from an authenticated image stored on computer-readable media used by the untrusted VM. The trusted VM executes a thin operating system with minimal functionality, to manage a secure communication channel with the remote server system, wherein sensitive communication is encrypted. Data from the trusted VM is forwarded via the hypervisor to a network interface driver of the untrusted VM for transmission to the remote service provider. The service provider may perform a remote attestation of the client system to determine whether it operates a trusted VM.
-
Citations
19 Claims
-
1. A client computer system comprising at least a processor configured to operate:
-
an untrusted virtual machine including a set of drivers for controlling a first set of hardware devices of the client computer system, the first set of hardware devices comprising a network interface, the set of drivers including a network interface driver for the network interface; and a hypervisor configured to control a second set of hardware devices of the client computer system, the second set comprising a shared device selected from a group consisting of an output device and an input device, wherein the hypervisor is further configured to; in response to the untrusted virtual machine receiving a user request to connect to a remote server system, launch a trusted virtual machine distinct from the untrusted virtual machine, wherein launching the trusted virtual machine comprises; employing the hypervisor to determine the authenticity of an image of the trusted virtual machine; and when the image of the trusted virtual machine is authentic, employing the hypervisor to load the image into a memory of the client computer system; in response to launching the trusted virtual machine, receive a data unit from the trusted virtual machine, wherein the data unit is encrypted by the trusted virtual machine; and send the data unit to the network interface driver of the untrusted virtual machine for transmission to the remote server system through the network interface; and wherein the hypervisor is further configured to employ time-division multiplexing to alternate granting exclusive use of the shared device to the trusted virtual machine with granting exclusive use of the shared device to the untrusted virtual machine. - View Dependent Claims (2, 3)
-
-
4. A server computer system comprising at least a processor and configured to receive a data unit from a client computer system, wherein the client computer system is configured to operate:
-
an untrusted virtual machine including a set of drivers for controlling a first set of hardware devices of the client computer system, the first set of hardware devices comprising a network interface, the set of drivers including a network interface driver for the network interface; and a hypervisor configured to control a second set of hardware devices of the client computer system, the second set comprising a shared device selected from a group consisting of an input device and an output device, wherein the hypervisor is further configured to; in response to the untrusted virtual machine receiving a user request to connect to a remote server system, launch a trusted virtual machine distinct from the untrusted virtual machine, wherein launching the trusted virtual machine comprises; employing the hypervisor to determine the authenticity of an image of the trusted virtual machine; and when the image of the trusted virtual machine is authentic, employing the hypervisor to load the image into a memory of the client computer system; in response to launching the trusted virtual machine, receive a data unit from the trusted virtual machine, wherein the data unit is encrypted by the trusted virtual machine; and send the data unit to the network interface driver of the untrusted virtual machine for transmission to the server computer system through the network interface; and wherein the hypervisor is further configured to employ time-division multiplexing to alternate granting exclusive use of the shared device to the trusted virtual machine with granting exclusive use of the shared device to the untrusted virtual machine. - View Dependent Claims (5, 6, 7)
-
-
8. A client computer system comprising at least a processor configured to operate a hypervisor, the hypervisor further configured to:
-
in response to a user request to connect to a remote server system, launch a trusted virtual machine on the client computer system, the trusted virtual machine loaded from a computer-readable medium used by an untrusted virtual machine executing on the client computer system; in response to launching the trusted virtual machine, receive a data unit from the trusted virtual machine; and send the data unit to a network interface driver of the untrusted virtual machine for transmission to the remote server system. - View Dependent Claims (9, 10, 11)
-
-
12. A server computer system comprising at least a processor and configured to receive a data unit from a client computer system, wherein the client computer system is configured to operate a hypervisor, the hypervisor further configured to:
-
in response to a user request to connect to the server computer system, launch a trusted virtual machine on the client computer system, the trusted virtual machine loaded from a computer-readable medium used by an untrusted virtual machine executing on the client computer system; in response to launching the trusted virtual machine, receive the data unit from the trusted virtual machine; and send the data unit to a network interface driver of the untrusted virtual machine for transmission to the server computer system. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method comprising employing a hypervisor executing on a client computer system, the client computer system including at least a processor, to:
-
in response to a user request to connect to a server computer system, launch a trusted virtual machine on the client computer system, the trusted virtual machine loaded from a computer-readable medium used by an untrusted virtual machine executing on the client computer system; in response to launching the trusted virtual machine, receive a data unit from the trusted virtual machine; and send the data unit to a network interface driver of the untrusted virtual machine, for transmission to the server computer system.
-
-
18. A method comprising:
-
employing a server computer system comprising at least a processor to receive a data unit from a client computer system, wherein the client computer system is configured to operate a hypervisor configured to; in response to a user request to connect to the server computer system, launch a trusted virtual machine on the client computer system, the trusted virtual machine loaded from a computer-readable medium used by an untrusted virtual machine executing on the client computer system; in response to launching the trusted virtual machine, receive the data unit from the trusted virtual machine; and in response to receiving the data unit, send the data unit to a network interface driver of the untrusted virtual machine for transmission to the server computer system; employing the server computer system to perform an attestation of the trusted virtual machine according to the data unit; and when the attestation is successful, employing the server computer system to grant the client computer system access to a protected resource of the server computer system.
-
-
19. A non-transitory computer-readable medium storing instructions which, when executed, cause a client computer system comprising at least a processor to form a hypervisor, the hypervisor further configured to:
-
in response to a user request to connect to a remote server computer system, launch a trusted virtual machine on the client computer system, the trusted virtual machine loaded from a computer-readable medium used by an untrusted virtual machine executing on the client computer system; in response to launching the trusted virtual machine, receive a data unit from the trusted virtual machine; and send the data unit to a network interface driver of the untrusted virtual machine for transmission to the remote server computer system.
-
Specification