Single-Chip Virtualizing and Obfuscating Storage System for Portable Computing Devices

US 20140325681A1
Filed: 03/11/2014
Published: 10/30/2014
Est. Priority Date: 03/12/2013
Status: Active Grant

First Claim

Patent Images

1. A portable computing device, comprising:

at least one operating system;

at least one virtualized storage device configured to be accessed by the operating system;

at least one physical storage device configured not to be directly accessible by the operating system; and

at least one virtualizing and obfuscating storage firmware module configured for executing concurrently with the operating system on a processor.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In certain embodiments, an information obfuscation service may be incorporated directly into the main applications processor of a portable computing device such that the applications processor and its relevant storage peripherals may be securely shared via a virtualization firmware module, avoiding the use of specialized hardware or major modifications of the operating system. The virtualizing and obfuscating storage firmware module may enable a much higher level of assurance in information-at-rest protection while using only the memory protection and privilege mode facilities inherent in common portable device applications microprocessors. The virtualizing and obfuscating storage firmware may interpose storage accesses originating from the operating system. This interposition may be performed seamlessly, without explicit knowledge of the operating system.

20 Citations

View as Search Results

61 Claims

1. A portable computing device, comprising:
- at least one operating system;
  
  at least one virtualized storage device configured to be accessed by the operating system;
  
  at least one physical storage device configured not to be directly accessible by the operating system; and
  
  at least one virtualizing and obfuscating storage firmware module configured for executing concurrently with the operating system on a processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module is configured to manifest the virtualized storage device on behalf of the operating system.
  - 3. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module is configured to intercept storage access transactions between the at least one virtualized storage device and the at least one physical storage device.
  - 4. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module is configured to perform obfuscation services of data as it is transferred between the at least one virtualized storage device and that at least one physical storage device.
  - 5. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module is configured to be launched by a secure boot sequence requiring a hardware root of trust.
  - 6. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module is configured to be measured by hardware of the portable computing device.
  - 7. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module is configured to be measured by immutable firmware.
  - 8. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module is configured to be verified to be valid by using one or more measurement parameters.
  - 9. The portable computing device of claim 8, wherein the one or more measurement parameters comprise at least one of a cryptographic key and a certificate within the portable device hardware.
  - 10. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module is configured to be verified to be valid prior to execution.
  - 11. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module comprises one or more additional logical threads of execution that can be mapped to one or physical threads or cores.
  - 12. The portable computing device of claim 11, wherein the additional logical threads of execution enable the virtualizing and obfuscating storage firmware module to execute concurrently with other portions of the at least one operating system to improve overall storage latency and system performance.
  - 13. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module is configured to control and manage one or more sensors to enforce a policy in which the virtualized storage system is only made available when one or more sensor readings are within an acceptable range of values.
  - 14. The portable computing device of claim 13, wherein one or more sensors comprise at least one Global Positioning Satellite peripheral.
  - 15. The portable computing device of claim 13, wherein the one or more sensor readings obtained by the virtualizing and obfuscating storage firmware module are resistant to corruption by the operating system.
  - 16. The portable computing device of claim 13, wherein the one or more sensor readings are provided by at least one of a Global Positioning Service, a cellular signal, and another location-based services.
  - 17. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module is configured to manifest at least one virtualized graphical display device configured to be accessed by the operating system.
  - 18. The portable computing device of claim 1, further comprising at least one physical graphical display device that cannot be directly accessed by the operating system.
  - 19. The portable computing device of claim 17, wherein the virtualizing and obfuscating storage firmware module is configured to require input of one or more obfuscation parameters by a user to the portable device using the virtualized graphical display device.
  - 20. The portable computing device of claim 19, wherein the virtualizing and obfuscating storage firmware module is configured to validate the one or more obfuscation parameters prior to enabling the operating system to use the virtualized storage system.
  - 21. The portable computing device of claim 19, wherein the obfuscation parameters are derived from one or more authentication parameters originating from one or more authentication sources.
  - 22. The portable computing device of claim 1, wherein the virtualizing and obfuscating storage firmware module is configured to provide a trusted indication to the user as to whether the virtualized graphical display device is being used in an authentication parameter input mode or in a general operating mode.
  - 23. The portable computing device of claim 1, wherein one or more color-coded pixels are included on one or more reserved portions of a physical graphical display device that are controlled and programmed by the virtualizing and obfuscating storage firmware module to have distinct outputs corresponding to each distinct mode.
  - 24. The portable computing device of claim 23, wherein the virtualizing and obfuscating storage firmware module prevents the operating system from modifying the appearance of the reserved portions of the physical graphical display device.
  - 25. The portable computing device of claim 23, wherein one or more graphical display pixels are positioned in distinct areas of the reserved portions of the physical graphical display device that are controlled and programmed by the virtualizing and obfuscating storage firmware module, such that one or more distinct positions correspond to one or more distinct modes.
  - 26. The portable computing device of claim 25, wherein the one or more distinct modes comprise multiple indications of color and position of one or more pixels within the reserved portion of the physical graphical display device.
  - 27. The portable computing device of claim 23, wherein the virtualizing and obfuscating storage firmware module is configured to control one or more visual indicators to have distinct outputs corresponding to each distinct mode.
  - 28. The portable computing device of claim 27, wherein the visual indicators comprise one or more on-board portable device LEDs.
  - 29. The portable computing device of claim 27, wherein the virtualizing and obfuscating storage firmware module prevents the operating system from modifying the visual indicators.

30. A method of information-in-transit protection, comprising:
- configuring at least one virtualized storage device to be accessed by an operating system;
  
  configuring at least one physical storage device not to be directly accessible by the operating system; and
  
  configuring at least one virtualizing and obfuscating firmware module for executing concurrently with the operating system on a processor.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 31. The method of claim 30, further comprising configuring the virtualizing and obfuscating storage firmware module to manifest the virtualized storage device on behalf of the operating system.
  - 32. The method of claim 30, further comprising configuring the virtualizing and obfuscating storage firmware module to intercept storage transactions between the at least one virtualized storage device and the at least one physical storage device.
  - 33. The method of claim 30, further comprising configuring the virtualizing and obfuscating storage firmware module to perform obfuscation services of data as it is transferred between the at least one virtualized storage device and that at least one physical storage device.
  - 34. The method of claim 30, further comprising configuring the virtualizing and obfuscating storage firmware module to be launched by a secure boot sequence requiring a hardware root of trust.
  - 35. The method of claim 30, further comprising configuring the virtualizing and obfuscating storage firmware module to be measured by hardware of the portable computing device.
  - 36. The method of claim 30, further comprising configuring the virtualizing and obfuscating storage firmware module to be measured by immutable firmware.
  - 37. The method of claim 30, further comprising verifying the virtualizing and obfuscating storage firmware module to be valid by using one or more measurement parameters.
  - 38. The method of claim 37, wherein the one or more measurement parameters comprise at least one of a cryptographic key and a certificate within the portable device hardware.
  - 39. The method of claim 30, wherein the virtualizing and obfuscating storage firmware module is configured to be verified to be valid prior to execution.
  - 40. The method of claim 30, wherein the virtualizing and obfuscating storage firmware module comprises one or more additional logical threads of execution that can be mapped to one or physical threads or cores.
  - 41. The method of claim 40, further comprising executing the virtualizing and obfuscating storage firmware module concurrently with other portions of the at least one operating system to improve overall storage latency and system performance.
  - 42. The method of claim 30, further comprising configuring the virtualizing and obfuscating storage firmware module to control and manage one or more sensors to enforce a policy in which the virtualized storage system is only made available when one or more sensor readings are within an acceptable range of values.
  - 43. The method of claim 42, wherein one or more sensors comprise at least one Global Positioning Satellite peripheral.
  - 44. The method of claim 42, wherein the one or more sensor readings obtained by the virtualizing and obfuscating storage firmware module are resistant to corruption by the operating system.
  - 45. The method of claim 42, wherein the one or more sensor readings are provided by at least one of a Global Positioning Service, a cellular signal, and another location-based services.
  - 46. The method of claim 30, further comprising obfuscating at least one critical security parameter within the physical storage system using obfuscation parameters derived from one or more authentication parameters.
  - 47. The method of claim 30, further comprising configuring the virtualizing and obfuscating storage firmware module to manifest at least one virtualized graphical display device configured to be accessed by the operating system.
  - 48. The method of claim 30, wherein the operating system cannot directly access at least one physical graphical display device.
  - 49. The method of claim 30, further comprising configuring the virtualizing and obfuscating storage firmware module to require input of one or more obfuscation parameters by a user to the portable device using the virtualized graphical display device.
  - 50. The method of claim 49, further comprising configuring the virtualizing and obfuscating storage firmware module to validate the one or more obfuscation parameters prior to enabling the operating system to use the virtualized storage system.
  - 51. The method of claim 49, wherein the obfuscation parameters are derived from one or more authentication parameters originating from one or more authentication sources.
  - 52. The method of claim 30, further comprising configuring the virtualizing and obfuscating storage firmware module to provide a trusted indication to the user as to whether the virtualized graphical display device is being used in an authentication parameter input mode or in a general operating mode.
  - 53. The method of claim 30, further comprising one or more color-coded pixels included on one or more reserved portions of a physical graphical display device that are controlled and programmed by the virtualizing and obfuscating storage firmware module to have distinct outputs corresponding to each distinct mode.
  - 54. The method of claim 53, further comprising configuring the virtualizing and obfuscating storage firmware module to prevent the operating system from modifying the appearance of the reserved portions of the physical graphical display device.
  - 55. The method of claim 53, further comprising positioning one or more graphical display pixels in distinct areas of the reserved portions of the physical graphical display device, such that one or more distinct positions correspond to one or more distinct modes.
  - 56. The method of claim 53, wherein the one or more distinct modes comprise multiple indications of color and position of one or more pixels within the reserved portion of the physical graphical display device.
  - 57. The method of claim 53, further comprising configuring the virtualizing and obfuscating storage firmware module to control one or more visual indicators to have distinct outputs corresponding to each distinct mode.
  - 58. The method of claim 57, wherein the visual indicators comprise one or more on-board portable device LEDs.
  - 59. The method of claim 57, further comprising configuring the virtualizing and obfuscating storage firmware module to prevent the operating system from modifying the visual indicators.
  - 60. The method of claim 30, further comprising rendering at least one of the virtualizing and obfuscating storage firmware module, the obfuscated storage, the operating system, and the portable device unusable for information processing if a predetermined time interval has been exceeded since a last successful input of authentication parameters.
  - 61. The method of claim 30, wherein the at least one of the virtualizing and obfuscating storage firmware module, the obfuscated storage, the operating system, and the portable device remains unusable for information processing until such time as a successful input of the authentication parameters is performed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Green Hills Software, LLC
Original Assignee
Green Hills Software Incorporated
Inventors
Kleidermacher, David Noah, Hettena, Daniel Jonathan, Banul, Frank John IV

Granted Patent

US 10,325,105 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/29
CPC Class Codes

G06F 21/575 Secure boot

G06F 21/6218 to a system of files or obj...

Single-Chip Virtualizing and Obfuscating Storage System for Portable Computing Devices

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

61 Claims

Specification

Solutions

Use Cases

Quick Links

Single-Chip Virtualizing and Obfuscating Storage System for Portable Computing Devices

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

61 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links