Method, apparatus, and system for enabling a secure location-aware platform

US 8,393,000 B2
Filed: 08/19/2011
Issued: 03/05/2013
Est. Priority Date: 10/17/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method for security control, the method comprising:

identifying a change in network status of a device, the device including a secure partition, a first virtual user partition, and a second virtual user partition, each of the secure partition, the first virtual user partition, and the second virtual user partition being different partitions of the device, and the secure partition including a location awareness agent;

determining, with the location awareness agent, whether the device is connected to a network;

determining, in response to the device being connected to the network, whether the network is secure by attempting to connect to a known network infrastructure element in a secure network;

applying, with the location awareness agent, a first set of security controls to a first operating system in the first virtual user partition in response to determining that the device is connected to the secure network, the location awareness agent to apply the first set of security controls to the first operating system prior to enabling the first operating system to access the secure network;

applying, with the location awareness agent, a second set of security controls to a second operating system in the second virtual user partition in response to determining that the device is connected to an unsecure network, the location awareness agent to apply the second set of security controls to the second operating system prior to enabling the second operating system to access the unsecure network;

identifying whether the device moves from the secure network to the unsecure network; and

transferring an execution environment from the first operating system in the first virtual user partition to the second operating system in the second virtual user partition in response to identifying that the device moved from the secure network to the unsecure network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and system enable a secure location-aware platform. Specifically, embodiments of the present invention may utilize a secure processing partition on the platform to determine a location of the platform and dynamically apply and/or change security controls accordingly.

14 Citations

View as Search Results

17 Claims

1. A method for security control, the method comprising:
- identifying a change in network status of a device, the device including a secure partition, a first virtual user partition, and a second virtual user partition, each of the secure partition, the first virtual user partition, and the second virtual user partition being different partitions of the device, and the secure partition including a location awareness agent;
  
  determining, with the location awareness agent, whether the device is connected to a network;
  
  determining, in response to the device being connected to the network, whether the network is secure by attempting to connect to a known network infrastructure element in a secure network;
  
  applying, with the location awareness agent, a first set of security controls to a first operating system in the first virtual user partition in response to determining that the device is connected to the secure network, the location awareness agent to apply the first set of security controls to the first operating system prior to enabling the first operating system to access the secure network;
  
  applying, with the location awareness agent, a second set of security controls to a second operating system in the second virtual user partition in response to determining that the device is connected to an unsecure network, the location awareness agent to apply the second set of security controls to the second operating system prior to enabling the second operating system to access the unsecure network;
  
  identifying whether the device moves from the secure network to the unsecure network; and
  
  transferring an execution environment from the first operating system in the first virtual user partition to the second operating system in the second virtual user partition in response to identifying that the device moved from the secure network to the unsecure network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising;
    - starting up the second virtual user partition in response to identifying that the device moved from the secure network to the unsecure network.
  - 3. The method of claim 1, further comprising:
    - shutting down the first virtual user partition in response to identifying that the device moved from the secure network to the unsecure network.
  - 4. The method of claim 1, further comprising:
    - identifying whether the device moves back to the secure network from the unsecure network; and
      
      transferring the execution environment back to the first operating system in the first virtual user partition from the second operating system in the second virtual user partition in response to identifying that the device moved back to the secure network from the unsecure network.
  - 5. The method of claim 1, wherein the first set of security controls applied to the first operating system in the first virtual user partition is different than the second set of security controls applied to the second operating system in the second virtual user partition, the second set of security controls imposes at least one more restriction than the first set of security controls.
  - 6. The method of claim 1, wherein the first set of security controls enables the first operating system in the first virtual user partition to access data on the device and the second set of security controls restricts the second operating system in the second virtual user partition from accessing at least a portion of the data on the device.
  - 7. The method of claim 1, wherein the secure partition comprises at least one of an Active Management Technologies (AMT) partition, a Manageability Engine (ME), a Platform Resource Layer (PRL), a virtual machine (VM), and an independent processor core.

8. A computing device, comprising:
- a network interface card;
  
  a virtual machine monitor to manage allocation of resources of the computing device among one or more virtual user partitions;
  
  a secure partition to manage access to the network interface card for the one or more virtual user partitions, the secure partition comprises a location awareness agent to determine whether the computing device is connected to a network, wherein in response to determining that the computing device is connected to a network, the location awareness agent to determine whether the computing device is connected to one of a secure network or an unsecure network by attempting to connect to a known network element in the secure network;
  
  a first virtual user partition having a first operating system to enable access to the secure network, the location awareness agent to apply a first set of security controls to the first operating system of the first virtual user partition prior to enabling access to the secure network; and
  
  a second virtual user partition having a second operating system to enable access to the unsecure network, the location awareness agent to apply a second set of security controls to the second operating system of the second virtual user partition prior to enabling access to the unsecure network,wherein each of the secure partition, the first virtual user partition, and the second virtual user partition being different partitions of the computing device, andwherein the location awareness agent further to detect if the computing device roams from the secure network to the unsecure network and, in response to detecting that the computing device roamed from the secure network to the unsecure network, to transfer an execution environment from the first operating system of the first virtual user partition to the second operating system of the second virtual user partition.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computing device of claim 8, wherein the location awareness agent to start up the second virtual user partition in response to detecting that the computing device roamed from the secure network to the unsecure network.
  - 10. The computing device of claim 8, wherein the virtual machine monitor to shut down the first virtual user partition in response to the location awareness agent detecting that the computing device roamed from the secure network to the unsecure network.
  - 11. The computing device of claim 8, wherein the location awareness agent to detect if the computing device roams back to the secure network from the unsecure network;
    - and wherein the location awareness agent to transfer the execution environment back to the first operating system of the first virtual user partition from the second operating system of the second virtual user partition in response to detecting that the computing device roamed back to the secure network from the unsecure network.
  - 12. The computing device of claim 8, wherein the first set of security controls applied to the first operating system of the first virtual user partition is different than the second set of security controls applied to the second operating system of the second virtual user partition, the second set of security controls imposes at least one more restriction than the first set of security controls.
  - 13. The computing device of claim 8, wherein the first set of security controls enables the first operating system of the first virtual user partition to access data on the device and the second set of security controls restricts the second operating system of the second virtual user partition from accessing at least a portion of the data on the computing device.
  - 14. The computing device of claim 8, wherein the secure partition comprises at least one of an Active Management Technologies (AMT) partition, a Manageability Engine (ME), a Platform Resource Layer (PRL), a virtual machine (VM), and an independent processor core.

15. A non-transitory, machine-accessible storage medium having instructions stored thereon, which when executed by a processor of a device, cause the device to:
- indentify a change in network status of a device, the device including a secure partition, a first virtual user partition, and a second virtual user partition, each of the secure partition, the first virtual user partition, and the second virtual user partition being different partitions of the device, and the secure partition including a location awareness agent;
  
  determine, with the location awareness agent, whether the device is connected to a network;
  
  determine, in response to the device being connected to the network, whether the network is secure by attempting to connect to a known network infrastructure element in a secure network;
  
  apply, with the location awareness agent, a first set of security controls to a first operating system in the first virtual user partition in response to determining that the device is connected to the secure network, the location awareness agent to apply the first set of security controls to the first operating system prior to enabling the first operating system to access the secure network;
  
  apply, with the location awareness agent, a second set of security controls to a second operating system in the second virtual user partition in response to determining that the device is connected to an unsecure network, the location awareness agent to apply the second set of security controls to the second operating system prior to enabling the second operating system to access the unsecure network;
  
  identify whether the device moves from the secure network to the unsecure network; and
  
  transfer an execution environment from the first virtual operating system in the first user partition to the second operating system in the second virtual user partition response to identifying that the device moved from the secure network to the unsecure network.
- View Dependent Claims (16, 17)
- - 16. The non-transitory, machine-accessible storage medium of claim 15, wherein the first set of security controls applied to the first operating system in the first virtual user partition is different than the second set of security controls applied to the second operating system in the second virtual user partition, the second set of security controls imposes at least one more restriction than the first set of security controls.
  - 17. The non-transitory, machine-accessible storage medium of claim 15, wherein the first set of security controls enables the first operating system in the first virtual user partition to access data on the device and the second set of security controls restricts the second operating system in the second virtual user partition from accessing at least a portion of the data on the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Morgan, Dennis
Primary Examiner(s)
Smithers, Matthew

Application Number

US13/213,855
Publication Number

US 20110302658A1
Time in Patent Office

564 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/57   Certifying or maintaining t...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/0209   Architectural arrangements,...

H04L 63/105   Multiple levels of security

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

Method, apparatus, and system for enabling a secure location-aware platform

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus, and system for enabling a secure location-aware platform

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links