BINARY TRANSLATION OF A TRUSTED BINARY WITH INPUT TAGGING

US 20160188873A1
Filed: 12/27/2014
Published: 06/30/2016
Est. Priority Date: 12/27/2014
Status: Active Grant

First Claim

Patent Images

1. A computing apparatus comprising:

a trusted execution environment (TEE);

one or more logic elements comprising an input verification engine (IVE) within the TEE, the IVE operable for;

receiving a trusted binary object;

analyzing the trusted binary object to identify portions that perform input/output operations;

tagging the portions to create a tagged trusted binary with tagged portions; and

providing the portions to a binary translation engine; and

one or more logic elements comprising the binary translation engine (BTE) within the TEE, the BTE operable for;

receiving the tagged trusted binary in a first format;

translating the tagged trusted binary into a second binary object in a second format, wherein translating comprises reserving the tagged portions for execution within an enclave.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a computing device includes a trusted execution environment (TEE), including an enclave. The enclave may include both a binary translation engine (BTE) and an input verification engine (IVE). In one embodiment, the IVE receives a trusted binary as an input, and analyzes the trusted binary to identify functions, classes, and variables that perform input/output operations. To ensure the security of these interfaces, those operations may be performed within the enclave. The IVE tags the trusted binary and provides the binary to the BTE. The BTE then translates the trusted binary into a second format, including designating the tagged portion for execution within the enclave. The BTE may also sign the new binary in the second format and export it out of the enclave.

38 Citations

View as Search Results

25 Claims

1. A computing apparatus comprising:
- a trusted execution environment (TEE);
  
  one or more logic elements comprising an input verification engine (IVE) within the TEE, the IVE operable for;
  
  receiving a trusted binary object;
  
  analyzing the trusted binary object to identify portions that perform input/output operations;
  
  tagging the portions to create a tagged trusted binary with tagged portions; and
  
  providing the portions to a binary translation engine; and
  
  one or more logic elements comprising the binary translation engine (BTE) within the TEE, the BTE operable for;
  
  receiving the tagged trusted binary in a first format;
  
  translating the tagged trusted binary into a second binary object in a second format, wherein translating comprises reserving the tagged portions for execution within an enclave.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computing apparatus of claim 1, wherein the IVE is further operable for:
    - provisioning an enclave within the TEE; and
      
      performing at least some of its functions within the enclave.
  - 3. The computing apparatus of claim 2, wherein the IVE is further operable for provisioning the BTE within the enclave.
  - 4. The computing apparatus of claim 3, wherein the BTE comprises a binary translator selected from the group consisting of a runtime engine, an interpreter, a just-in-time compiler, ahead-of-time compiler, a virtual machine, a compiler, a linker, and a toolchain utility.
  - 5. The computing apparatus of claim 3, wherein the BTE comprises a Java Virtual Machine, and wherein the IVE is at least partly implemented in Java and configured to operate within the BTE.
  - 6. The computing apparatus of claim 1, wherein the IVE is further operable for performing input verification.
  - 7. The computing apparatus of claim 6, wherein the IVE comprises a module selected from the group consisting of a secure network stack, a secure graphics engine, a secure human input device interface engine, a secure audio engine, a secure image processing engine, a secure telemetry engine, a secure global positioning system receiver, and a binary input analyzer.
  - 8. The computing apparatus of claim 1, wherein the BTE is further operable for signing the second binary object.
  - 9. The computing apparatus of claim 8, wherein the first signed object is to be signed by a key, and wherein signing the second object comprises signing the second object with the key.
  - 10. The computing apparatus of claim 8, wherein first signed object is to be signed with a first key, and wherein signing the second object comprises signing the second object with a second key signed by a common issuer of the first key.
  - 11. The computing apparatus of claim 8, wherein first signed object is to be signed with a first key, and wherein signing the second object comprises signing the second object with a second key provided by a vendor of the first object.
  - 12. The computing apparatus of claim 8, wherein first signed object is to be signed with a first key, and wherein signing the second object comprises signing the second object with a second key signed by the first key.
  - 13. The computing apparatus of claim 8, wherein the binary translation engine is further operable for consulting a certificate expiration or revocation list before signing the second object.

14. One or more computer-readable mediums having stored thereon instructions that, when executed, instruct a processor for:
- providing an input verification engine (IVE) within a TEE, the IVE operable for;
  
  receiving a trusted binary object;
  
  analyzing the trusted binary object to identify portions that perform input/output operations;
  
  tagging the portions to create a tagged trusted binary with tagged portions; and
  
  providing the portions to a binary translation engine; and
  
  providing the binary translation engine (BTE) within the TEE, the BTE operable for;
  
  receiving the tagged trusted binary in a first format;
  
  translating the tagged trusted binary into a second binary object in a second format, wherein translating comprises reserving the tagged portions for execution within an enclave.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The one or more computer-readable mediums of claim 14, wherein the IVE is further operable for:
    - provisioning an enclave within the TEE; and
      
      performing at least some of its functions within the enclave.
  - 16. The one or more computer-readable mediums of claim 15, wherein the IVE is further operable for provisioning the BTE within the enclave.
  - 17. The one or more computer-readable mediums of claim 16, wherein the BTE comprises a Java Virtual Machine, and wherein the IVE is at least partly implemented in Java and configured to operate within the BTE.
  - 18. The one or more computer-readable mediums of claim 14, wherein the IVE is further operable for performing input verification.
  - 19. The one or more computer-readable mediums of claim 14, wherein the BTE is further operable for signing the second binary object.
  - 20. The one or more computer-readable mediums of claim 19, wherein the first signed object is to be signed by a key, and wherein signing the second object comprises signing the second object with the key.
  - 21. The one or more computer-readable mediums of claim 19, wherein first signed object is to be signed with a first key, and wherein signing the second object comprises signing the second object with a second key signed by a common issuer of the first key.
  - 22. The one or more computer-readable mediums of any of claim 19, wherein first signed object is to be signed with a first key, and wherein signing the second object comprises signing the second object with a second key provided by a vendor of the first object.
  - 23. The one or more computer-readable mediums of claim 19, wherein first signed object is to be signed with a first key, and wherein signing the second object comprises signing the second object with a second key signed by the first key.

24. A computer-implemented method for execution within a trusted execution environment (TEE), comprising:
- receiving a trusted binary object;
  
  analyzing the trusted binary object to identify portions that perform input/output operations;
  
  tagging the portions to create a tagged trusted binary with tagged portions; and
  
  translating the tagged trusted binary into a second binary object in a second format, wherein translating comprises reserving the tagged portions for execution within an enclave.
- View Dependent Claims (25)
- - 25. The method of claim 24, further comprising signing the second binary object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, LLC
Inventors
Smith, Ned M., Rubakha, Dmitri, Shah, Samir, Martin, Jason, Sheller, Micah J., Chakrabarti, Somnath, Xing, Bin

Granted Patent

US 9,996,690 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/53   by executing in a restricte...

G06F 2221/033   Test or assess software

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

BINARY TRANSLATION OF A TRUSTED BINARY WITH INPUT TAGGING

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

BINARY TRANSLATION OF A TRUSTED BINARY WITH INPUT TAGGING

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links