Method and apparatus for providing a secure display window inside the primary display
First Claim
1. A system for securing data, comprising:
- a platform having virtualization technology (VT) capabilities;
a virtual machine monitor configured to control operation of virtual machines on the platform and separate and distinct from any virtual machines under its control;
a capability operating system (COS) to be run in a first virtual machine on the platform, the first virtual machine under control of the virtual machine monitor, an application running under the COS to request data from a source;
a service operating system (SOS) to be run in a second virtual machine on the platform, the second virtual machine under control of the virtual machine monitor, the SOS configured to retrieve the requested data from the source and to encrypt the data before storing the encrypted data in a first memory store, the first memory store being accessible to the COS; and
a graphics engine having decryption capabilities and having access to the first memory store and a protected second memory store, the second memory store to store decrypted data, and the second memory store being inaccessible to the first and second virtual machines.
1 Assignment
0 Petitions
Accused Products
Abstract
In some embodiments, the invention involves securing sensitive data from mal-ware on a computing platform and, more specifically, to utilizing virtualization technology and protected audio video path technologies to prohibit a user environment from directly accessing unencrypted sensitive data. In an embodiment a service operating system (SOS) accesses sensitive data requested by an application running in a user environment virtual machine, or a capability operating system (COS). The SOS application encrypts the sensitive data before passing the data to the COS. The COS makes requests directly to a graphics engine which decrypts the data before displaying the sensitive data on a display monitor. Other embodiments are described and claimed.
-
Citations
15 Claims
-
1. A system for securing data, comprising:
-
a platform having virtualization technology (VT) capabilities; a virtual machine monitor configured to control operation of virtual machines on the platform and separate and distinct from any virtual machines under its control; a capability operating system (COS) to be run in a first virtual machine on the platform, the first virtual machine under control of the virtual machine monitor, an application running under the COS to request data from a source; a service operating system (SOS) to be run in a second virtual machine on the platform, the second virtual machine under control of the virtual machine monitor, the SOS configured to retrieve the requested data from the source and to encrypt the data before storing the encrypted data in a first memory store, the first memory store being accessible to the COS; and a graphics engine having decryption capabilities and having access to the first memory store and a protected second memory store, the second memory store to store decrypted data, and the second memory store being inaccessible to the first and second virtual machines. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for securing data, comprising:
-
requesting data from a source by a first application running in a first virtual machine on a platform having virtualization technology architecture, the first virtual machine being under control of a virtual machine monitor and executing a capability operating system (COS) to control a user environment; intercepting the request for data by a second application running in a second virtual machine, the second virtual machine being under control of the virtual machine monitor and executing a service operating system (SOS), wherein the virtual machine monitor is separate and distinct from both the first virtual machine and the second virtual machine; retrieving the requested data from the source by the second application; encrypting the retrieved data, by the second application; storing the encrypted data in a first memory store accessible to the first application and to a graphics engine; decrypting the encrypted data, by the graphics engine, responsive to a request to display the requested data, by the first application; storing the decrypted data in a protected second memory sto , the COS having no access to the second memory store; and displaying the requested data on a display monitor by the graphics engine. - View Dependent Claims (9, 10, 11)
-
-
12. Anon-transitory machine-readable storage medium having instructions stored thereon for securing data, that when executed on a platform, cause the platform to:
-
request data. from a source by a first application running in a. first virtual maehine on a platform having virtualization technology architecture, the first virtual machine being under control of a virtual machine monitor and executing a capability operating system (COS) to control a user environment; intercept the request for data by a second application running in a second virtual machine, the second virtual machine being under control of the virtual machine monitor and executing a service operating system (SOS), wherein the virtual machine monitor is separate and distinct from both the first virtual machine and the second virtual machine., retrieve the requested data from the source by the second application; encrypt the retrieved data, by the second application; store the encrypted data in a first memory store accessible to the first application and to a graphics engine; decrypt the encrypted data, by the graphics engine, responsive to a request to display the requested data, by the first application; store the decrypted data in a protected second memory store, the COS having no access to the second memory store; and display the requested data on a display monitor by the graphics engine. - View Dependent Claims (13, 14, 15)
-
Specification