Arrangement and method of execution of code

US 7,370,211 B2
Filed: 09/21/2001
Issued: 05/06/2008
Est. Priority Date: 09/21/2001
Status: Expired due to Term

First Claim

Patent Images

1. A system for executing code, the code comprising critical code portions and non-critical code portions, wherein the system comprises:

a computer having at least one application,a secure execution unit connected to the computer, wherein the secure execution unit includes;

means for executing the critical code portions,means for storing a secret key known only to the secure execution unit, andmeans for authenticating a result of an executed critical code portion using the secret key;

wherein the at least one application is arranged to send a request to the secure execution unit to execute a first critical code portion.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to systems (1) and a method for executing code. According to the method a non-critical code portion is executed on a computer (3). When an application (5) on the computer detects a critical code portion to be executed, the application sends a request to a secure execution unit (4) connected to the computer to execute the critical code portion. The secure execution unit (4) executes the critical code portion in response to the request. Thereafter the secure execution unit authenticates the result of the execution of the critical code portion using a secret key (7). The authentication allows for another party (2) to verify that the execution was carried out in a trusted way. An advantage of the present invention is that it provides a reliable execution environment that can be trusted to execute critical code.

Citations

35 Claims

1. A system for executing code, the code comprising critical code portions and non-critical code portions, wherein the system comprises:
- a computer having at least one application,a secure execution unit connected to the computer, wherein the secure execution unit includes;
  
  means for executing the critical code portions,means for storing a secret key known only to the secure execution unit, andmeans for authenticating a result of an executed critical code portion using the secret key;
  
  wherein the at least one application is arranged to send a request to the secure execution unit to execute a first critical code portion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system according to claim 1, wherein the secure execution unit includes means for checking a digital signature of the first critical code portion.
  - 3. The system according to claim 2, wherein the secure execution unit also includes communications means for forwarding the authenticated result to a server.
  - 4. The system according to claim 3, wherein the secure execution unit also includes communications means for forwarding the authenticated result to the application on the computer.
  - 5. The system according claim 4, wherein the secure execution unit includes a clock unit and means for time stamping the result.
  - 6. The system according to claim 5, wherein the means for authenticating the result includes digital signing means.
  - 7. The system according to claim 6, wherein the means for authenticating the result includes encryption means.
  - 8. The system according to claim 7, wherein the application is arranged to include at least one parameter of the first critical code portion in the request to the secure execution unit.
  - 9. The system according to claim 8, wherein the secure execution unit includes:
    - a memory for storing at least one predetermined constraint of the at least one parameter; and
      
      means for comparing the parameter with the at least one predetermined constraint.
  - 10. The system according to claim 8, wherein the secure execution unit includes a display and an input device, and the secure execution unit is arranged to display the at least one parameter on the display.
  - 11. The system according to claim 10, wherein the secure execution unit is a hardware unit that is separate from the hardware of the computer, and wherein the secure execution unit and the computer include communications interfaces for communicating with each other.
  - 12. The system according to claim 10, wherein the secure execution unit is incorporated in the same chassis as the computer.

13. A processing system including a first subsystem and a second subsystem, wherein at least the first subsystem comprises:
- a computer having at least one application;
  
  a secure execution unit connected to the computer, wherein the secure execution unit includes;
  
  means for executing the critical code portions;
  
  means for storing a secret key known only to the secure execution unit; and
  
  means for authenticating a result of an executed critical code portion using the secret key;
  
  wherein the at least one application is arranged to send a request to the secure execution unit to execute a first critical code portion.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 14. The processing system according to claim 13, wherein at least the second system includes means for checking an authenticated result of an execution of a critical code portion in the secure execution unit and verifying that the execution was carried out in a trusted way.
  - 15. The processing system according to claim 13, wherein the secure execution unit includes means for checking a digital signature of the first critical code portion.
  - 16. The system according to claim 15, wherein the secure execution unit also includes communications means for forwarding the authenticated result to a server.
  - 17. The system according to claim 16, wherein the secure execution unit also includes communications means for forwarding the authenticated result to the application on the computer.
  - 18. The system according to claim 17, wherein the secure execution unit includes a clock unit and means for time stamping the result.
  - 19. The system according to claim 18, wherein the means for authenticating the result includes digital signing means.
  - 20. The system according to claim 19, wherein the means for authenticating the result includes encryption means.
  - 21. The system according to claim 20, wherein the application is arranged to include at least one parameter of the first critical code portion in the request to the secure execution unit.
  - 22. The system according to claim 21, wherein the secure execution unit includes:
    - a memory for storing at least one predetermined constraint of the at least one parameter; and
      
      means for comparing the parameter with the at least one predetermined constraint.
  - 23. The system according to claim 21 wherein the secure execution unit includes a display arranged to display the at least one parameter prior to execution of the first critical code portion.
  - 24. The system according to claim 23, wherein the secure execution unit is a hardware unit that is separate from the hardware of the computer, and wherein the secure execution unit and the computer include communications interfaces for communicating with each other.
  - 25. The system according to claim 23, wherein the secure execution unit is incorporated in the same chassis as the computer.

26. A method for executing code having critical code portions and non-critical code portions, wherein the method includes the step of executing at least a first non-critical code portion on a computer, said method further comprising the steps of:
- detecting by an application on the computer, a first critical code portion to be executed;
  
  sending by the application, a request to a secure execution unit to execute the first critical code portion;
  
  executing by the secure execution unit, the first critical code portion in response to the request; and
  
  authenticating by the secure execution unit, the result of the execution of the first critical code portion using a secret key known only to the secure execution unit.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 27. The method according to claim 26, further comprising the step of verifying by the secure execution unit, the authenticity of the first critical code portion before executing it, said verifying step including checking a digital signature of the first critical code portion.
  - 28. The method according to claim 26, wherein the step of authenticating the result includes signing the result digitally using the secret key.
  - 29. The method according to claim 26, wherein the step of authenticating the result includes encrypting the result using the secret key.
  - 30. The method according to claim 26, wherein the step of sending the request to the secure execution unit to execute the first critical code portion includes sending by the application, at least one parameter of the first critical code portion in the request to the secure execution unit.
  - 31. The method according to claim 30, further comprising the step of the secure execution unit checking the validity of the at least one parameter by comparing the parameter with at least one predetermined constraint.
  - 32. The method according to claim 30, further comprising the step of the secure execution unit displaying the at least one parameter on a display in order for a user to visually inspect the validity of the parameter.
  - 33. The method according to claim 26, further comprising the steps of:
    - forwarding the authenticated result from the secure execution unit to a foreign system;
      
      checking the result by the foreign system; and
      
      verifying that the execution was carried out in a trusted way.
  - 34. The method according to claim 33, wherein the step of forwarding the authenticated result to the foreign system includes forwarding the authenticated result via the application on the computer.
  - 35. The method according claim 33, further comprising the steps of:
    - time stamping the result by the secure execution unit; and
      
      checking the time stamp of the result by the foreign system when the execution is verified to have been carried out in a trusted way.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NovaCloud Licensing LLC
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Halén, Joacim, Rindborg, Tom
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Cervetti; David Garcia

Application Number

US10/490,227
Publication Number

US 20040243810A1
Time in Patent Office

2,419 Days
Field of Search

713/176, 713/191
US Class Current

713/191
CPC Class Codes

G06F 21/123   by using dedicated hardware...

G06F 21/52   during program execution, e...

G06F 21/567   using dedicated hardware

Arrangement and method of execution of code

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Arrangement and method of execution of code

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links