ZERO-KNOWLEDGE VERIFIABLY ATTESTABLE TRANSACTION CONTAINERS USING SECURE PROCESSORS

US 20180294962A1
Filed: 04/11/2017
Published: 10/11/2018
Est. Priority Date: 04/11/2017
Status: Active Grant

First Claim

Patent Images

1. A method for providing attestation of an operating system environment, the method comprising:

booting, with a secure boot process with attestation, at least one processor with secure processor technology that allows user-level code to allocate private regions of memory which are protected from processes running at higher privilege levels;

loading one or more operating system containers in a server or a virtual machine, where each of the one or more operating system containers use each of their own process space and network space in order to operate on a single operating system kernel without creating separate virtual machines;

determining if a set of one or more conditions of booting and loading has been satisfied using zero-knowledge verifiable computing; and

in response to the set of one or more conditions having been satisfied, sending an attestation calculated using a zero-knowledge verifiable computing technique to a second processor-based device that the set of one or more conditions have been satisfied.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer program product for providing an attestation of an operating environment. The method begins with booting, with a secure boot process with attestation, at least one processor with secure processor technology that allows user-level code to allocate private regions of memory which are protected from processes running at higher privilege levels. Next, one or more operating system containers are loaded in a server or a virtual machine. Each of the one or more operating system containers use each of their own process space and network space in order to operate on a single operating system kernel without creating separate virtual machines. If a set of one or more conditions of booting and loading has been satisfied using zero-knowledge verifiable computing then an attestation is sent calculated using a zero-knowledge verifiable computing technique to a second processor-based device.

Citations

20 Claims

1. A method for providing attestation of an operating system environment, the method comprising:
- booting, with a secure boot process with attestation, at least one processor with secure processor technology that allows user-level code to allocate private regions of memory which are protected from processes running at higher privilege levels;
  
  loading one or more operating system containers in a server or a virtual machine, where each of the one or more operating system containers use each of their own process space and network space in order to operate on a single operating system kernel without creating separate virtual machines;
  
  determining if a set of one or more conditions of booting and loading has been satisfied using zero-knowledge verifiable computing; and
  
  in response to the set of one or more conditions having been satisfied, sending an attestation calculated using a zero-knowledge verifiable computing technique to a second processor-based device that the set of one or more conditions have been satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the sending the attestation is sent using a zero knowledge protocol to maintain privacy of a user of the at least one processor.
  - 3. The method of claim 1, further comprising:
    - receiving a request for the attestation of the set of one or more conditions from another user using a zero-knowledge protocol to maintain privacy of a user of the at least one processor.
  - 4. The method of claim 1, further comprising:
    - determining if a settable time period is expired; and
      
      in response to the settable time period is expired along with the set of one or more conditions having been satisfied, sending an attestation that the set of one or more conditions have been satisfied using a zero-knowledge protocol to maintain privacy of the user.
  - 5. The method of claim 1, wherein the secure processor technology is one of IBM Secure Blue, IBM Secure Blue++, IBM Secure Memory Facility, ARM TrustZone, and Intel Software Guard Extensions.
  - 6. The method of claim 1, wherein the set of one or more conditions are a privilege violation of one or more processes running at higher privilege levels accessing private regions of memory.
  - 7. The method of claim 1, wherein the set of one or more conditions are a physical attack of the at least one processor.
  - 8. The method of claim 1, wherein the zero-knowledge verifiable computing is one ofsuccinct computational integrity and privacy (SCIP) technique;
    - succinct non-interactive argument of knowledge (zk-snark) technique; and
      
      probabilistically checkable proof (PCP) technique.
  - 9. The method of claim 1, wherein the set of one or more conditions is a verification that the secure boot process had executed to completion without a failed integrity check.

10. A system for providing attestation of an operating system environment, the system comprising:
- a memory;
  
  a processor communicatively coupled to the memory, where the processor is configured to performbooting, with a secure boot process with attestation, at least one processor with secure processor technology that allows user-level code to allocate private regions of memory which are protected from processes running at higher privilege levels;
  
  loading one or more operating system containers in a server or a virtual machine, where each of the one or more operating system containers use each of their own process space and network space in order to operate on a single operating system kernel without creating separate virtual machines;
  
  determining if a set of one or more conditions of booting and loading has been satisfied using zero-knowledge verifiable computing; and
  
  in response to the set of one or more conditions having been satisfied, sending an attestation calculated using a zero-knowledge verifiable computing technique to a second processor-based device that the set of one or more conditions have been satisfied.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the sending the attestation is sent using a zero knowledge protocol to maintain privacy of a user of the at least one processor.
  - 12. The system of claim 10, further comprising:
    - receiving a request for the attestation of the set of one or more conditions from another user using a zero-knowledge protocol to maintain privacy of a user of the at least one processor.
  - 13. The system of claim 10, further comprising:
    - determining if a settable time period is expired; and
      
      in response to the settable time period is expired along with the set of one or more conditions having been satisfied, sending an attestation that the set of one or more conditions have been satisfied using a zero-knowledge protocol to maintain privacy of the user.
  - 14. The system of claim 10, wherein the secure processor technology is one of IBM Secure Blue, IBM Secure Blue++, IBM Secure Memory Facility, ARM TrustZone, and Intel Software Guard Extensions.
  - 15. The system of claim 10, wherein the set of one or more conditions are a privilege violation of one or more processes running at higher privilege levels accessing private regions of memory.
  - 16. The system of claim 10, wherein the set of one or more conditions are a physical attack of the at least one processor.
  - 17. The system of claim 10, wherein the zero-knowledge verifiable computing is one ofsuccinct computational integrity and privacy (SCIP) technique;
    - succinct non-interactive argument of knowledge (zk-snark) technique; and
      
      probabilistically checkable proof (PCP) technique.
  - 18. The system of claim 10, wherein the set of one or more conditions is a verification that the secure boot process had executed to completion without a failed integrity check.

19. A non-transitory computer program product for providing attestation of an operating system environment comprising a computer readable storage medium having computer readable program code embodied therewith, the computer readable program code configured to perform:
- booting, with a secure boot process with attestation, at least one processor with secure processor technology that allows user-level code to allocate private regions of memory which are protected from processes running at higher privilege levels;
  
  loading one or more operating system containers in a server or a virtual machine, where each of the one or more operating system containers use each of their own process space and network space in order to operate on a single operating system kernel without creating separate virtual machines;
  
  determining if a set of one or more conditions of booting and loading has been satisfied using zero-knowledge verifiable computing; and
  
  in response to the set of one or more conditions having been satisfied, sending an attestation calculated using a zero-knowledge verifiable computing technique to a second processor-based device that the set of one or more conditions have been satisfied.
- View Dependent Claims (20)
- - 20. The non-transitory computer program product of claim 19, wherein the sending the attestation is sent using a zero knowledge protocol to maintain privacy of a user of the at least one processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
KRAEMER, James R., LINTON, Jeb R.

Granted Patent

US 10,587,411 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/575   Secure boot

G06F 9/4401   Bootstrapping security arra...

G06F 9/4406   Loading of operating system

G09C 1/00   Apparatus or methods whereb...

H04L 9/3221   interactive zero-knowledge ...

H04L 9/3234   involving additional secure...

ZERO-KNOWLEDGE VERIFIABLY ATTESTABLE TRANSACTION CONTAINERS USING SECURE PROCESSORS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ZERO-KNOWLEDGE VERIFIABLY ATTESTABLE TRANSACTION CONTAINERS USING SECURE PROCESSORS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links