Software trusted platform module and application security wrapper

US 7,870,399 B2
Filed: 02/07/2007
Issued: 01/11/2011
Est. Priority Date: 02/10/2006
Status: Active Grant

First Claim

Patent Images

1. A software system that transforms an original application into an STPM enabled application and runs the STPM enabled application, the software system comprising:

an anti-tamper tool used at protect time for accepting an original application and creating the STPM enabled application, the anti-tamper tool initially implementing anti-tamper techniques on the original application to create a guarded application;

a security wrapper created at protect time by the anti-tamper tool in accordance with a policy file specifying security and usage restrictions for the original application, the security wrapper wrapping the guarded application to create the STPM enabled application;

a trusted service provider inserted at protect time by the anti-tamper tool at the entry point of the STPM enabled application;

a set of core services made accessible to the STPM enabled application through the trusted service provider;

an STPM device driver implementing trusted platform module functionality, the STPM device driver being protected by anti-tamper techniques; and

a processor for executing the STPM enabled application;

wherein at runtime the trusted service provider creates a TSP thread and passes a security file based on the policy file to the STPM device driver, the TSP thread actively monitoring the enabled application and interacting with the STPM device driver through the set of core services.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A software system that transforms an original application into an STPM enabled application and runs the enabled application. At protect time, an anti-tamper tool accepts the original application, uses anti-tamper techniques to create a guarded application, creates a security wrapper according to a policy file, and wraps the guarded application to create the STPM enabled application. A trusted service provider is inserted at the entry point of the enabled application. A set of core services is made accessible to the enabled application through the trusted service provider. At runtime the trusted service provider creates a TSP thread and passes a security file to an STPM device driver implementing TPM functionality and protected by anti-tamper techniques. The TSP thread actively monitors the enabled application and interacts with the STPM device driver through the set of core services.

49 Citations

View as Search Results

20 Claims

1. A software system that transforms an original application into an STPM enabled application and runs the STPM enabled application, the software system comprising:
- an anti-tamper tool used at protect time for accepting an original application and creating the STPM enabled application, the anti-tamper tool initially implementing anti-tamper techniques on the original application to create a guarded application;
  
  a security wrapper created at protect time by the anti-tamper tool in accordance with a policy file specifying security and usage restrictions for the original application, the security wrapper wrapping the guarded application to create the STPM enabled application;
  
  a trusted service provider inserted at protect time by the anti-tamper tool at the entry point of the STPM enabled application;
  
  a set of core services made accessible to the STPM enabled application through the trusted service provider;
  
  an STPM device driver implementing trusted platform module functionality, the STPM device driver being protected by anti-tamper techniques; and
  
  a processor for executing the STPM enabled application;
  
  wherein at runtime the trusted service provider creates a TSP thread and passes a security file based on the policy file to the STPM device driver, the TSP thread actively monitoring the enabled application and interacting with the STPM device driver through the set of core services.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The software system of claim 1, wherein the anti-tamper tool inserts guards into the original application, and obfuscates and encrypts parts or all of the original application.
  - 3. The software system of claim 1, wherein the device driver utilizes TPM hardware or other security hardware when it is available.
  - 4. The software system of claim 1, wherein the trusted service provider is standardized for use with a variety of STPM enabled applications.
  - 5. The software system of claim 1, wherein the STPM enabled application is a legacy application available as binary code, and the trusted service provider is embedded in the binary code of the legacy application, and the security policy are specified in an external file enforced by the STPM device driver.
  - 6. The software system of claim 1, wherein when the set of core services includes one or more of content management services, key management services, credential management services, event management services, and audit management services.
  - 7. The software system of claim 1, further comprising a plurality of enabled applications and a plurality of trusted service providers, each enabled application having an associated trusted service provider;
    - and wherein the set of core services provides common services to all of the plurality of trusted service providers.
  - 8. The software system of claim 1, wherein the STPM device driver can be accessed by a network to report system health status.
  - 9. The software system of claim 1, wherein the STPM device driver implements one or more of RSA key generation, RSA encryption and decryption, Secure Hash Algorithm (SHA-1) hashing, Hashed Message Authentication Code (HMAC), random number generation, internal use of symmetric encryption, data integrity registers, state registers and platform configuration registers.
  - 10. The software system of claim 1, wherein the STPM device driver takes an action according to the policy file when violations of the security file are detected, the action being configurable.
  - 11. The software system of claim 1, wherein integrity checks are performed periodically during the execution of the enabled application according to the policy file.
  - 12. The software system of claim 11, wherein the integrity checks are performed both internal and external to the enabled application according to the policy file.
  - 13. The software system of claim 1, wherein the policy file specifies security information which includes one or more of integrity verification measurements, system health requirements, runtime restrictions, licensing restrictions, or cryptographic keys.

14. A method of transforming an original application into an STPM enabled application and executing the STPM enabled application in a software system, the method comprising at protect time:
- accepting the original application and a policy file specifying security and usage restrictions;
  
  analyzing the original application with an anti-tamper tool;
  
  protecting the original application using anti-tamper techniques;
  
  generating a public key and private key pair;
  
  encrypting the protected application and the policy file using the public key; and
  
  wrapping the encrypted application and policy file in a security wrapper;
  
  inserting trusted service provider functionality at the entry point of the wrapped application to create the STPM enabled application;
  
  and the method further comprising at runtime a processor;
  
  creating a trusted service provider thread;
  
  passing the encrypted policy file to an STPM device driver;
  
  decrypting the policy file and processing its contents in the STPM device driver;
  
  loading the encrypted STPM enabled application;
  
  executing the STPM enabled application in accordance with the policy file.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the STPM enabled application is decrypted on-demand during execution of the STPM enabled application.
  - 16. The method of claim 14, wherein the STPM enabled application is decrypted in its entirety prior to execution of the STPM enabled application.
  - 17. The method of claim 14, wherein the STPM enabled application is decrypted on-demand during execution or decrypted in its entirety prior to execution depending on the contents of the policy file.
  - 18. The method of claim 14, wherein the STPM device driver stores data in secure data storage registers using data splitting techniques comprising:
    - splitting the data into N chunks,storing each chunk in a separate secure data register;
      
      performing computations with the data by;
      
      operating on each of the N data chunks independently;
      
      and combining the results of the independent operations to arrive at the result of the computation.
  - 19. The method of claim 18, wherein the data splitting techniques use additive splitting techniques.
  - 20. The method of claim 18, wherein the data splitting techniques use multiplicative splitting techniques.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsemi Corp. - Security Solutions
Original Assignee
Arxan Defense Systems Incorporated (Mercury Systems, Incorporated)
Inventors
Rice, John R., Rambhia, Avni Harilal, Bryant, Eric D., Atallah, Mikhael J.
Primary Examiner(s)
Henning; Matthew T

Application Number

US11/672,054
Publication Number

US 20070192864A1
Time in Patent Office

1,434 Days
Field of Search

713/190, 726/29
US Class Current

713/193
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

Software trusted platform module and application security wrapper

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Software trusted platform module and application security wrapper

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links