Data Protection Using Virtual Resource Views

US 20170277903A1
Filed: 03/22/2016
Published: 09/28/2017
Est. Priority Date: 03/22/2016
Status: Abandoned Application

First Claim

Patent Images

1. A method of protecting data using virtual views of resource contents, comprising:

monitoring, by a virtualization interface monitor of a computing device, a request to access a computing device resource by a first requesting entity;

determining, by the virtualization interface monitor, whether the first requesting entity is an owner of the computing device resource;

providing, by a data protection system of the computing device to the first requesting entity, an unobscured virtual view of resource contents of the computing device resource in response to determining that the first requesting entity is the owner of the computing device resource; and

providing, by the data protection system to the first requesting entity, an obscured virtual view of the resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments include computing devices, systems, and methods for protecting data using virtual views of resource contents. A virtualization interface monitor may monitor a request to access a computing device resource by a first requesting entity and determine whether the first requesting entity is an owner of the computing device resource. A data protection system may provide, to the first requesting entity, an unobscured virtual view of resource contents of the computing device resource in response to determining that the first requesting entity is the owner of the computing device resource. A resource content cryptographic device may obscure a virtual view of the resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource. The data protection system may provide, to the first requesting entity, the obscured virtual view of resource contents of the computing device resource.

50 Citations

View as Search Results

28 Claims

1. A method of protecting data using virtual views of resource contents, comprising:
- monitoring, by a virtualization interface monitor of a computing device, a request to access a computing device resource by a first requesting entity;
  
  determining, by the virtualization interface monitor, whether the first requesting entity is an owner of the computing device resource;
  
  providing, by a data protection system of the computing device to the first requesting entity, an unobscured virtual view of resource contents of the computing device resource in response to determining that the first requesting entity is the owner of the computing device resource; and
  
  providing, by the data protection system to the first requesting entity, an obscured virtual view of the resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - determining, by a resource content cryptographic device, whether the first requesting entity has a certified function;
      
      determining, by the resource content cryptographic device, an access type for the first requesting entity in response to determining the first requesting entity has a certified function; and
      
      obscuring, by a resource content cryptographic device of the computing device, the virtual views of the resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource using an obscuring level based on the access type.
  - 3. The method of claim 2, wherein the access type includes partially obscured and obscured, and wherein obscuring the virtual views of the resource contents of the computing device resource using an obscuring level based on the access type comprises:
    - encrypting, by the resource content cryptographic device, the virtual views of the resource contents of the computing device resource using homomorphic encryption in response to determining that the access type for the first requesting entity is partially obscured; and
      
      encrypting, by the resource content cryptographic device, the virtual views of the resource contents of the computing device resource using strong encryption in response to determining that the access type for the first requesting entity is obscured.
  - 4. The method of claim 1, further comprising:
    - monitoring, by the virtualization interface monitor, a virtualization interface for changes in ownership of the computing device resource; and
      
      storing, by the virtualization interface monitor, a first owner identifier of the first requesting entity correlated with a virtual resource identifier of the computing device resource for the first requesting entity, wherein the first owner identifier indicates the first requesting entity is granted ownership of the computing device resource and the virtual resource identifier is mapped to a physical resource identifier of the computing device resource.
  - 5. The method of claim 4, wherein monitoring a virtualization interface for a change in ownership of the computing device resource comprises monitoring for a request for ownership of the computing device resource by a second requesting entity.
  - 6. The method of claim 1, wherein determining whether the first requesting entity is an owner of the computing device resource comprises:
    - comparing, by the virtualization interface monitor, a virtual resource identifier of the request to access the computing device resource with a stored owner identifier of correlated with a virtual resource identifier of the computing device resource; and
      
      determining that the first requesting entity is the owner of the computing device resource when the virtual resource identifier of the request to access the computing device resource and the virtual resource identifier of the computing device resource match.
  - 7. The method of claim 1, wherein:
    - the owner of the computing device resource is an application; and
      
      the non-owner of the computing device resource is a resource manager including one of an operating system kernel, a hypervisor, and a TrustZone.

8. A computing device, comprising:
- a data protection system comprising a virtualization interface monitor and a resource content cryptographic device,wherein the virtualization interface monitor is configured with virtualization interface monitor-executable instructions to perform operations comprising;
  
  monitoring a request to access a computing device resource by a first requesting entity; and
  
  determining whether the first requesting entity is an owner of the computing device resource, andwherein the data protection system is configured with data protection system-executable instructions to perform operations comprising;
  
  providing, to the first requesting entity, an unobscured virtual view of resource contents of the computing device resource in response to determining that the first requesting entity is the owner of the computing device resource; and
  
  providing, to the first requesting entity, an obscured virtual view of the resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computing device of claim 8, wherein the resource content cryptographic device is configured with resource content cryptographic device-executable instructions to perform operations further comprising:
    - determining whether the first requesting entity has a certified function;
      
      determining an access type for the first requesting entity in response to determining the first requesting entity has a certified function; and
      
      obscuring a virtual view of the resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource.
  - 10. The computing device of claim 9, wherein the access type includes partially obscured and obscured, and wherein the resource content cryptographic device is configured with resource content cryptographic device-executable instructions to perform operations such that obscuring the virtual view of the resource contents of the computing device resource using an obscuring level based on the access type comprises:
    - encrypting the virtual view of the resource contents of the computing device resource using homomorphic encryption in response to determining that the access type for the first requesting entity is partially obscured; and
      
      encrypting the virtual view of the resource contents of the computing device resource using strong encryption in response to determining that the access type for the first requesting entity is obscured.
  - 11. The computing device of claim 8, wherein the virtualization interface monitor is configured with virtualization interface monitor-executable instructions to perform operations further comprising:
    - monitoring a virtualization interface for changes in ownership of the computing device resource; and
      
      storing a first owner identifier of the first requesting entity correlated with a virtual resource identifier of the computing device resource for the first requesting entity, wherein the first owner identifier indicates the first requesting entity is granted ownership of the computing device resource and the virtual resource identifier is mapped to a physical resource identifier of the computing device resource.
  - 12. The computing device of claim 11, wherein the virtualization interface monitor is configured with virtualization interface monitor-executable instructions to perform operations such that monitoring a virtualization interface for a change in ownership of the computing device resource comprises monitoring for a request for ownership of the computing device resource by a second requesting entity.
  - 13. The computing device of claim 8, wherein the virtualization interface monitor is configured with virtualization interface monitor-executable instructions to perform operations such that determining whether the first requesting entity is an owner of the computing device resource comprises:
    - comparing a virtual resource identifier of the request to access the computing device resource with a stored owner identifier of correlated with a virtual resource identifier of the computing device resource; and
      
      determining that the first requesting entity is the owner of the computing device resource when the virtual resource identifier of the request to access the computing device resource and the virtual resource identifier of the computing device resource match.
  - 14. The computing device of claim 8, further comprising a plurality of processors communicatively connected to the data protection system, and wherein:
    - the owner of the computing device resource is an application executing on a first processor of the plurality of processors; and
      
      the non-owner of the computing device resource is a resource manager including one of an operating system kernel, a hypervisor, and a TrustZone executing on a second processor of the plurality of processors.

15. A computing device configured for protecting data using virtual views of resource contents, comprising:
- means for monitoring a request to access a computing device resource by a first requesting entity;
  
  means for determining whether the first requesting entity is an owner of the computing device resource;
  
  means for providing, to the first requesting entity, an unobscured virtual view of resource contents of the computing device resource in response to determining that the first requesting entity is the owner of the computing device resource; and
  
  means for providing, to the first requesting entity, an obscured virtual view of resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computing device of claim 15, further comprising:
    - means for determining whether the first requesting entity has a certified function; and
      
      means for determining an access type for the first requesting entity in response to determining the first requesting entity has a certified function; and
      
      means for obscuring the virtual views of the resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource using an obscuring level based on the access type.
  - 17. The computing device of claim 16, wherein the access type includes partially obscured and obscured, and wherein means for obscuring the virtual views of the resource contents of the computing device resource using an obscuring level based on the access type comprises:
    - means for encrypting the virtual views of the resource contents of the computing device resource using homomorphic encryption in response to determining that the access type for the first requesting entity is partially obscured; and
      
      means for encrypting the virtual views of the resource contents of the computing device resource using strong encryption in response to determining that the access type for the first requesting entity is obscured.
  - 18. The computing device of claim 15, further comprising:
    - means for monitoring a virtualization interface for changes in ownership of the computing device resource; and
      
      means for storing a first owner identifier of the first requesting entity correlated with a virtual resource identifier of the computing device resource for the first requesting entity, wherein the first owner identifier indicates the first requesting entity is granted ownership of the computing device resource and the virtual resource identifier is mapped to a physical resource identifier of the computing device resource.
  - 19. The computing device of claim 18, wherein means for monitoring a virtualization interface for a change in ownership of the computing device resource comprises means for monitoring for a request for ownership of the computing device resource by a second requesting entity.
  - 20. The computing device of claim 15, wherein means for determining whether the first requesting entity is an owner of the computing device resource comprises:
    - means for comparing a virtual resource identifier of the request to access the computing device resource with a stored owner identifier of correlated with a virtual resource identifier of the computing device resource; and
      
      means for determining that the first requesting entity is the owner of the computing device resource when the virtual resource identifier of the request to access the computing device resource and the virtual resource identifier of the computing device resource match.
  - 21. The computing device of claim 15, wherein:
    - the owner of the computing device resource is an application; and
      
      the non-owner of the computing device resource is a resource manager including one of an operating system kernel, a hypervisor, and a TrustZone.

22. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of a computing device to perform operations comprising:
- monitoring a request to access a computing device resource by a first requesting entity;
  
  determining whether the first requesting entity is an owner of the computing device resource;
  
  providing, to the first requesting entity, an unobscured virtual view of resource contents of the computing device resource in response to determining that the first requesting entity is the owner of the computing device resource; and
  
  providing, to the first requesting entity, an obscured virtual view of resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
    - determining whether the first requesting entity has a certified function;
      
      determining an access type for the first requesting entity in response to determining the first requesting entity has a certified function; and
      
      obscuring a virtual view of the resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource using an obscuring level based on the access type.
  - 24. The non-transitory processor-readable storage medium of claim 23, wherein the access type includes partially obscured and obscured, and wherein the stored processor-executable instructions are configured to cause the processor to perform operations such that obscuring the virtual view of the resource contents of the computing device resource using an obscuring level based on the access type comprises:
    - encrypting the virtual view of the resource contents of the computing device resource using homomorphic encryption in response to determining that the access type for the first requesting entity is partially obscured; and
      
      encrypting the virtual view of the resource contents of the computing device resource using strong encryption in response to determining that the access type for the first requesting entity is obscured.
  - 25. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
    - monitoring a virtualization interface for changes in ownership of the computing device resource; and
      
      storing a first owner identifier of the first requesting entity correlated with a virtual resource identifier of the computing device resource for the first requesting entity, wherein the first owner identifier indicates the first requesting entity is granted ownership of the computing device resource and the virtual resource identifier is mapped to a physical resource identifier of the computing device resource.
  - 26. The non-transitory processor-readable storage medium of claim 25, wherein the stored processor-executable instructions are configured to cause the processor to perform operations such that monitoring a virtualization interface for a change in ownership of the computing device resource comprises monitoring for a request for ownership of the computing device resource by a second requesting entity.
  - 27. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the processor to perform operations such that determining whether the first requesting entity is an owner of the computing device resource comprises:
    - comparing a virtual resource identifier of the request to access the computing device resource with a stored owner identifier of correlated with a virtual resource identifier of the computing device resource; and
      
      determining that the first requesting entity is the owner of the computing device resource when the virtual resource identifier of the request to access the computing device resource and the virtual resource identifier of the computing device resource match.
  - 28. The non-transitory processor-readable storage medium of claim 22, wherein:
    - the owner of the computing device resource is an application; and
      
      the non-owner of the computing device resource is a resource manager including one of an operating system kernel, a hypervisor, and a TrustZone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Christodorescu, Mihai, Dhurjati, Dinakar, Islam, Nayeem

Application Number

US15/076,936
Publication Number

US 20170277903A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1433   for a module or a part of a...

G06F 12/1483   using an access-table, e.g....

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/79   in semiconductor storage me...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45558   Hypervisor-specific managem...

H04L 9/008   involving homomorphic encry...

Data Protection Using Virtual Resource Views

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Data Protection Using Virtual Resource Views

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links