Method and apparatus for providing a secure display window inside the primary display

US 8,646,052 B2
Filed: 03/31/2008
Issued: 02/04/2014
Est. Priority Date: 03/31/2008
Status: Active Grant

First Claim

Patent Images

1. A system for securing data, comprising:

a platform having virtualization technology (VT) capabilities;

a virtual machine monitor configured to control operation of virtual machines on the platform and separate and distinct from any virtual machines under its control;

a capability operating system (COS) to be run in a first virtual machine on the platform, the first virtual machine under control of the virtual machine monitor, an application running under the COS to request data from a source;

a service operating system (SOS) to be run in a second virtual machine on the platform, the second virtual machine under control of the virtual machine monitor, the SOS configured to retrieve the requested data from the source and to encrypt the data before storing the encrypted data in a first memory store, the first memory store being accessible to the COS; and

a graphics engine having decryption capabilities and having access to the first memory store and a protected second memory store, the second memory store to store decrypted data, and the second memory store being inaccessible to the first and second virtual machines.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, the invention involves securing sensitive data from mal-ware on a computing platform and, more specifically, to utilizing virtualization technology and protected audio video path technologies to prohibit a user environment from directly accessing unencrypted sensitive data. In an embodiment a service operating system (SOS) accesses sensitive data requested by an application running in a user environment virtual machine, or a capability operating system (COS). The SOS application encrypts the sensitive data before passing the data to the COS. The COS makes requests directly to a graphics engine which decrypts the data before displaying the sensitive data on a display monitor. Other embodiments are described and claimed.

Citations

15 Claims

1. A system for securing data, comprising:
- a platform having virtualization technology (VT) capabilities;
  
  a virtual machine monitor configured to control operation of virtual machines on the platform and separate and distinct from any virtual machines under its control;
  
  a capability operating system (COS) to be run in a first virtual machine on the platform, the first virtual machine under control of the virtual machine monitor, an application running under the COS to request data from a source;
  
  a service operating system (SOS) to be run in a second virtual machine on the platform, the second virtual machine under control of the virtual machine monitor, the SOS configured to retrieve the requested data from the source and to encrypt the data before storing the encrypted data in a first memory store, the first memory store being accessible to the COS; and
  
  a graphics engine having decryption capabilities and having access to the first memory store and a protected second memory store, the second memory store to store decrypted data, and the second memory store being inaccessible to the first and second virtual machines.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system as recited in claim 1, further comprising a display monitor, wherein the graphics engine displays the retrieved data on the display monitor after decrypting the stored encrypted data.
  - 3. The system as recited in claim 2, wherein the graphics engine is to combine the decrypted data with other display data on the display monitor.
  - 4. The system as recited in claim 1, wherein the SOS further comprises a virtualized graphics driver for accessing the graphics engine via a physical graphics driver running on the COS.
  - 5. The system as recited in claim 1, wherein the graphics engine has a secret encryption key and the SOS has a unique application key, wherein the unique application key is to he encrypted with the secret encryption key to result in an encrypted application key for use with the graphics engine.
  - 6. The system as recited in claim 1, wherein the graphics engine is to negotiate with the SOS to utilize a session key for decrypting data encrypted by the SOS.
  - 7. The system as recited in claim 1, wherein the SOS comprises a plurality of system services and controls one or more devices other than the graphics engine.

8. A method for securing data, comprising:
- requesting data from a source by a first application running in a first virtual machine on a platform having virtualization technology architecture, the first virtual machine being under control of a virtual machine monitor and executing a capability operating system (COS) to control a user environment;
  
  intercepting the request for data by a second application running in a second virtual machine, the second virtual machine being under control of the virtual machine monitor and executing a service operating system (SOS), wherein the virtual machine monitor is separate and distinct from both the first virtual machine and the second virtual machine;
  
  retrieving the requested data from the source by the second application;
  
  encrypting the retrieved data, by the second application;
  
  storing the encrypted data in a first memory store accessible to the first application and to a graphics engine;
  
  decrypting the encrypted data, by the graphics engine, responsive to a request to display the requested data, by the first application;
  
  storing the decrypted data in a protected second memory sto , the COS having no access to the second memory store; and
  
  displaying the requested data on a display monitor by the graphics engine.
- View Dependent Claims (9, 10, 11)
- - 9. The method as recited in claim 8, further comprising:
    - combining other data to display, the other data generated by a display engine, with the requested data decrypted by the graphics engine to form a combined display area to be displayed on the display monitor.
  - 10. The method as recited in claim 8, wherein the graphics engine further comprises an encryption/decryption engine conforming to an Advanced Encryption Standard (AES) and a Sprite overlay engine to display the requested data in an interior window on the display monitor.
  - 11. The method as recited in claim 8, further comprising:
    - negotiating between the second application and the graphics engine via a. physical graphics driver running on the first virtual machine to generate a session key.

12. Anon-transitory machine-readable storage medium having instructions stored thereon for securing data, that when executed on a platform, cause the platform to:
- request data. from a source by a first application running in a. first virtual maehine on a platform having virtualization technology architecture, the first virtual machine being under control of a virtual machine monitor and executing a capability operating system (COS) to control a user environment;
  
  intercept the request for data by a second application running in a second virtual machine, the second virtual machine being under control of the virtual machine monitor and executing a service operating system (SOS), wherein the virtual machine monitor is separate and distinct from both the first virtual machine and the second virtual machine^.,retrieve the requested data from the source by the second application;
  
  encrypt the retrieved data, by the second application;
  
  store the encrypted data in a first memory store accessible to the first application and to a graphics engine;
  
  decrypt the encrypted data, by the graphics engine, responsive to a request to display the requested data, by the first application;
  
  store the decrypted data in a protected second memory store, the COS having no access to the second memory store; and
  
  display the requested data on a display monitor by the graphics engine.
- View Dependent Claims (13, 14, 15)
- - 13. The non-transitory machine-readable storage medium as recited in claim 12, further comprising instructions to:
    - combine other data to display, the other data generated by a display engine, with the requested data decrypted by the graphics engine to form a combined display area to be displayed on the display monitor.
  - 14. The non-transitory machine-readable storage medium as recited in claim 12, wherein the graphics engine further comprises an encryption/decryption engine conforming to an Advanced Encryption Standard (AES) and a Sprite overlay engine to display the requested data in an interior window on the display monitor.
  - 15. The non-transitory machine-readable storage medium as recited in claim 12, further comprising instructions to:
    - negotiate between the second application and the graphics engine via a physical graphics driver running on the first virtual machine to generate a session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Vembu, Balaji, Sarangdhar, Nitin, Shanbhogue, Vedvyas
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US12/059,972
Publication Number

US 20090245521A1
Time in Patent Office

2,136 Days
Field of Search

726/5, 713/164
US Class Current

726/5
CPC Class Codes

G06F 21/1064   Restricting content process...

G06F 21/606   by securing the transmissio...

G06F 21/84   output devices, e.g. displa...

Method and apparatus for providing a secure display window inside the primary display

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing a secure display window inside the primary display

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links