Software Revocation Infrastructure

US 20150067323A1
Filed: 09/04/2013
Published: 03/05/2015
Est. Priority Date: 09/04/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

distributing, over a network, multiple instances of a signed software component to multiple devices, the instances including an identification of a revocation authority;

receiving a request, at a processor of the revocation authority, for a revocation message of the signed software component; and

transmitting, by the processor, the revocation message in response to the request, the revocation message including mitigation information for configuration of the signed software component on one or more of the devices and including a signature.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one implementation, software components include an identity of a revocation authority. Prior to loading of the software in a given platform, the revocation authority is checked for any revocation messages. The revocation authority creates software component specific messages for any software components to be revoked, rather than using certificate revocation or individual licenses. The messages include mitigation information, such as instructions for automatically configuring already installed software without requiring an update or change in code.

Citations

20 Claims

1. A method comprising:
- distributing, over a network, multiple instances of a signed software component to multiple devices, the instances including an identification of a revocation authority;
  
  receiving a request, at a processor of the revocation authority, for a revocation message of the signed software component; and
  
  transmitting, by the processor, the revocation message in response to the request, the revocation message including mitigation information for configuration of the signed software component on one or more of the devices and including a signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein distributing comprises distributing the signed software component comprises transmitting over the network.
  - 3. The method of claim 1 wherein distributing comprises distributing with the instances including an expiration for revocation, and wherein the requests are received only for instances that are not past the expiration for the revocation.
  - 4. The method of claim 1 wherein distributing comprises distributing with the instances including a revocation distribution mechanism, and wherein receiving comprises receiving the requests formatted according to the revocation distribution mechanism.
  - 5. The method of claim 1 wherein receiving comprises receiving the requests as requests for a list including the revocation message.
  - 6. The method of claim 1 wherein receiving comprises receiving the requests as look-ups from a list of revocation messages, including the revocation message, served by the revocation authority.
  - 7. The method of claim 1 wherein transmitting comprises transmitting the revocation message in a list of other revocation messages, the other revocation messages being for other signed software components than the signed software component.
  - 8. The method of claim 1 wherein transmitting comprises transmitting with the mitigation information for the configuration by filtering operation of the signed software component.
  - 9. The method of claim 1 wherein transmitting comprises transmitting with the mitigation information for the configuration by changing behavior of the signed software component without installing an update of the signed software component, the change in behavior comprising disabling the signed software component, turning off part of the signed software component, altering an interface, altering a port, or combinations thereof.
  - 10. The method of claim 1 further comprising:
    - receiving the revocation message from a third-party and re-signing the revocation message with the signature, the signature corresponding to a certificate of an authority trusted to redistribute revocation messages.
  - 11. The method of claim 1 wherein transmitting comprises transmitting to an administrator for the device.
  - 12. The method of claim 1 wherein transmitting comprises transmitting to the device, the mitigation information useable automatically by the device for the configuration.
  - 13. The method of claim 1 wherein transmitting comprises transmitting the revocations message altered for an operating system of the one device.

14. Logic encoded in one or more non-transitory computer-readable media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- activating a software component on a platform, the software component including a first signature and having a version;
  
  verifying that the first signature is valid and rooted in a trusted signing certificate;
  
  checking for revocation of the version of the software component;
  
  receiving mitigation information when the version is revoked; and
  
  processing the mitigation information for the software component.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The logic of claim 14 wherein activating, verifying, checking, receiving and processing are performed prior to loading or installing the software component on the platform.
  - 16. The logic of claim 14 further comprising verifying a second signature of the mitigation information after receiving the mitigation information.
  - 17. The logic of claim 14 wherein processing the mitigation information comprises automatically configuring the software component without changing instruction code of the software component.
  - 18. The logic of claim 14 wherein receiving the mitigation information comprises receiving a revocation message for the version of the software component and not for a certificate or a license.

19. Logic encoded in one or more non-transitory computer-readable media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- distributing a signed revocation message comprising mitigation information for a vulnerability of software, the mitigation information including one or more instructions for automatic mitigation by a platform loading the software.
- View Dependent Claims (20)
- - 20. The logic of claim 19 wherein distributing comprises transmitting a list of signed revocation messages including the signed revocation message in response to a request formatted pursuant to a distribution mechanism identified in metadata of the software, and wherein the instructions are for configuration of the software without changing code of the software.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Salowey, Joseph, Pritikin, Max

Granted Patent

US 9,298,923 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/57   Certifying or maintaining t...

H04L 9/3268   using certificate validatio...

Software Revocation Infrastructure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Software Revocation Infrastructure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links