Hardware-based protection of secure data

US 8,156,565 B2
Filed: 04/28/2008
Issued: 04/10/2012
Est. Priority Date: 04/28/2008
Status: Active Grant

First Claim

Patent Images

1. One or more computer-storage media having computer-executable instructions embodied thereon that, when executed, perform a method for protecting secure data by writing content of the secure data to a protected memory segment, the method comprising:

receiving streaming media from a media-reading device;

identifying portions of the streaming media as secure data;

allocating a region of memory to provide the protected memory segment to accept the identified secure data, wherein the protected memory segment represents a secure data store that restricts access from the operating system thereto utilizing a set of hardware-based rules instantiated for the secure data store, wherein allocating the region of memory to provide the protected memory segment comprises;

(a) incident to identifying portions of the streaming media as secure data, establishing the protected memory segment;

(b) determining a rate of flow of the streaming media; and

(c) dynamically manipulating the allocation of the region of memory to hold the protected memory segment as a function of the rate of flow, wherein dynamically manipulating comprises incrementally growing or incrementally shrinking the protected memory segment in accordance with changes to the rate of flow; and

at least temporarily storing content of the secure data at the protected memory segment, wherein the stored content is not encrypted; and

releasing the content from the protected memory segment for conveyance to one or more presentation devices, wherein releasing the content from the protected memory segment comprises;

(a) pushing the content to a frame buffer according to a rate of flow of the streaming media, wherein the content in the frame buffer is visible to the one or more presentation devices and is protected by the set of hardware-based rules; and

(b) scanning out the content to the one or more presentation devices for rendering thereby.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-readable media, computerized methods, and computer systems for protecting secure data by writing content of the secure data to a protected memory segment are provided. Initially, streaming media is received from a media-reading device and portions of the streaming media are identified as secure data. A data-management process to protect content within the secure data is executed. During execution, the protected memory segment is instantiated, a region of memory is dynamically allocated to hold the protected memory segment, and content of the secure data is written thereto. The protected memory segment is generally a data store that conditionally limits access thereto utilizing hardware-based rules, thereby guarding the content against exposure to unauthorized systems and to attackers. The region of memory may be allocated on CPU hardware, GPU hardware, or a combination thereof. The content may then be encrypted and released for conveyance to one or more presentation devices.

Citations

17 Claims

1. One or more computer-storage media having computer-executable instructions embodied thereon that, when executed, perform a method for protecting secure data by writing content of the secure data to a protected memory segment, the method comprising:
- receiving streaming media from a media-reading device;
  
  identifying portions of the streaming media as secure data;
  
  allocating a region of memory to provide the protected memory segment to accept the identified secure data, wherein the protected memory segment represents a secure data store that restricts access from the operating system thereto utilizing a set of hardware-based rules instantiated for the secure data store, wherein allocating the region of memory to provide the protected memory segment comprises;
  
  (a) incident to identifying portions of the streaming media as secure data, establishing the protected memory segment;
  
  (b) determining a rate of flow of the streaming media; and
  
  (c) dynamically manipulating the allocation of the region of memory to hold the protected memory segment as a function of the rate of flow, wherein dynamically manipulating comprises incrementally growing or incrementally shrinking the protected memory segment in accordance with changes to the rate of flow; and
  
  at least temporarily storing content of the secure data at the protected memory segment, wherein the stored content is not encrypted; and
  
  releasing the content from the protected memory segment for conveyance to one or more presentation devices, wherein releasing the content from the protected memory segment comprises;
  
  (a) pushing the content to a frame buffer according to a rate of flow of the streaming media, wherein the content in the frame buffer is visible to the one or more presentation devices and is protected by the set of hardware-based rules; and
  
  (b) scanning out the content to the one or more presentation devices for rendering thereby.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The one or more computer-storage media of claim 1, wherein the allocated region of memory comprises at least one of system memory, video memory, or a combination of the system memory and the video memory.
  - 3. The one or more computer-readable media of claim 2, wherein allocating the region of memory to provide the protected memory segment to accept the secure data comprises:
    - initially selecting the video memory as the region of memory that is provided for the protected memory segment;
      
      detecting an increase in the rate of flow of the streaming media; and
      
      dynamically expanding the region of memory that is allocated for the protected memory segment to include the system memory.
  - 4. The one or more computer-storage media of claim 1, the method further comprising:
    - recognizing a type of the one or more presentation devices; and
      
      applying output protection according the type of the one or more presentation devices.
  - 5. The one or more computer-storage media of claim 1, wherein restricting access from the operating system to the protected memory segment utilizing the set of hardware-based rules comprises:
    - receiving an indication of an attempt to read from the protected memory segment by an unauthorized source; and
      
      altering the content to provide a null presentation when rendered on the one or more presentation devices.
  - 6. The one or more computer-storage media of claim 1, wherein restricting access from the operating system to the protected memory segment utilizing the set of hardware-based rules comprises:
    - determining whether the content is being encrypted during the release for conveyance to the one or more presentation devices; and
      
      altering the content to provide a null presentation when rendered on the one or more presentation devices.
  - 7. The one or more computer-storage media of claim 1, wherein restricting access from the operating system to the protected memory segment utilizing the set of hardware-based rules comprises:
    - receiving an indication that the content is being illicitly copied from the secure data for storage at a region of memory that is not the protected memory segment; and
      
      altering the extracted content to provide a null presentation when rendered on the one or more presentation devices.
  - 8. The one or more computer-storage media of claim 1, wherein restricting access from the operating system to the protected memory segment utilizing the set of hardware-based rules comprises:
    - receiving an indication the allocation for the protected memory segment is lowered thereby exposing a section of the content temporarily stored to the protected memory segment; and
      
      corrupting the exposed section of the content to provide a null presentation when rendered on the one or more presentation devices.

9. A computer system for applying a set of hardware-based rules to content that is written to a protected memory segment, the system comprising:
- an application to receive media streaming from a media-reading device and to identify secure data within the streaming media;
  
  a driver component to specify a type of memory that content of the streaming media is to be written, wherein the type of memory is specified as a function of whether the secure data is identified within the streaming media;
  
  a memory manager to allocate memory for the protected memory segment to, at least temporarily, store the content of the secure data, wherein the stored content is not encrypted, and wherein the memory manager is further configured to;
  
  (a) determine a rate of flow of the streaming media; and
  
  (b) dynamically allocate a size of the protected memory segment according the rate of flow by identifying a region of the memory;
  
  the protected memory segment to protectively hold the content and to deny unauthorized access from the operating system to the content by enforcing the set of hardware-based rules; and
  
  output-protection component to apply encryption to the content upon releasing the content from the protected memory segment to one or more presentation devices, wherein releasing the content from the protected memory segment comprises;
  
  (a) pushing the content to a frame buffer according to a rate of flow of the streaming media, wherein the content in the frame buffer is visible to the one or more presentation devices and is protected by the set of hardware-based rules; and
  
  (b) scanning out the content to the one or more presentation devices for rendering thereby.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, further comprising the memory to temporarily store the streaming media, wherein the memory comprises at least one of system memory, video memory, or a combination of the system memory and the video memory.
  - 11. The system of claim 9, wherein the driver component and the video memory are embodied on a graphics processing unit (GPU) having hardware distinct from hardware supporting a central processing unit (CPU) that enables function of the memory manager.
  - 12. The system of claim 9, wherein the application comprises a receiving component configured to:
    - decrypt the secure data;
      
      compress the decrypted secure data; and
      
      encrypt the compressed secure data.
  - 13. The system of claim 12, wherein the application is further comprises a decoder component to:
    - decrypt the encrypted compressed secure data;
      
      decode the compressed secure data to derive content therefrom; and
      
      populate the protected memory segment allocated for the decoded secure data with the content derived therefrom.
  - 14. The system of claim 9, wherein the output-protection component is further configured to:
    - identify at least one output from which the content passing through the protected memory segment is being evicted;
      
      determine a type of the one or more presentation devices operably connected to the at least one output; and
      
      apply encryption to the content according to the type of the one or more presentation devices precedent to the eviction of the content.
  - 15. The system of claim 9, wherein the streaming media is a video stream, wherein the media-reading device is a digital versatile disc (DVD) player, and wherein the content is digital video content that is displayed on the one or more presentation devices when rendered.

16. A computerized method for managing dynamic allocation of regions of memory to provide protected memory segments for storing secure data, the method comprising:
- receiving streaming media from a first media-reading device;
  
  identifying a rate of flow of the streaming media;
  
  identifying secure data is included within the streaming media;
  
  instantiating a first protected memory segment for receiving the secure data from the first media-reading device, wherein the first protected memory segment conditionally limits access to the secure data residing therein;
  
  dynamically allocating the regions of memory to provide the first protected memory segment based on the rate of flow, wherein the memory comprises video memory and system memory, and wherein dynamically allocating the regions of memory comprises;
  
  (a) accessing the identified rate of flow of the streaming media; and
  
  (b) dynamically modifying a size of the protected memory segment according the identified rate of flow, wherein the protected memory segment is provisioned to protectively hold the secure data of the streaming media and to deny unauthorized access from the operating system to the secure data by enforcing a set of hardware-based rules;
  
  writing the secure data to the first protected memory segment, wherein content of the written secure data is not encrypted; and
  
  releasing the secure data from the first protected memory segment for conveyance to one or more presentation devices, wherein releasing comprises;
  
  (a) pushing the content to a frame buffer according to a rate of flow of the streaming media, wherein the content in the frame buffer is visible to the one or more presentation devices and is protected by the set of hardware-based rules;
  
  (b) recognizing a type of the one or more presentation devices receiving the streaming media;
  
  (c) applying encryption to the content according the type of the one or more presentation devices; and
  
  (d) scanning out the encrypted content to the one or more presentation devices for rendering thereby.
- View Dependent Claims (17)
- - 17. The method of claim 16, further comprising:
    - receiving streaming media from a second media-reading device;
      
      identifying a rate of flow of the streaming media and that secure data is included therein;
      
      instantiating a second protected memory segment for receiving the secure data from the second media-reading device, wherein the second protected memory segment conditionally limits access to the secure data residing therein;
      
      dynamically allocating the regions of memory to provide the second protected memory segment based on the rate of flow and the allocated memory provided for the first protected memory segment;
      
      writing the secure data to the second protected memory segment; and
      
      releasing the secure data from the second protected memory segment for conveyance to one or more presentation devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Pronovost, Steve, Blythe, David R., MacDonald, Donald Scott
Primary Examiner(s)
Srivastava, Vivek
Assistant Examiner(s)
JHAVERI, JAYESH M

Application Number

US12/110,478
Publication Number

US 20090316889A1
Time in Patent Office

1,443 Days
Field of Search

None
US Class Current

726/27
CPC Class Codes

G06F 21/10 Protecting distributed prog...

H04N 21/4367 Establishing a secure commu...

Hardware-based protection of secure data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware-based protection of secure data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links