Managing firmware update attempts

US 8,996,744 B1
Filed: 12/02/2013
Issued: 03/31/2015
Est. Priority Date: 09/08/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A system, comprising:

one or more processors; and

a memory device including instructions, which when executed by the one or more processors, cause the system to;

store a value of a secure counter as an expected value within a secure location;

provision a guest operating system to enable a user to remotely access the guest operating system via a network connection, the guest operating system having direct, non-virtualized access to at least one device of a host system;

cause the secure counter to be updated for at least one attempted modification of configuration information for the at least one device;

determine, based at least in part on a current value of the secure counter as compared to the expected value, whether the guest operating system attempted to modify the configuration information for the at least one device; and

perform at least one action with respect to at least one of the host system or the at least one device in response to determining that the current value of the secure counter does not correspond to the expected value.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Attempts to update confirmation information or firmware for a hardware device can be monitored using a secure counter that is configured to monotonically adjust a current value of the secure counter for each update or update attempt. The value of the counter can be determined every time the validity of the firmware is confirmed, and this value can be stored to a secure location. At subsequent times, such as during a boot process, the actual value of the counter can be determined and compared with the expected value. If the values do not match, such that the firmware may be in an unexpected state, an action can be taken, such as to prevent access to, or isolate, the hardware until such time as the firmware can be validated or updated to an expected state.

103 Citations

View as Search Results

21 Claims

1. A system, comprising:
- one or more processors; and
  
  a memory device including instructions, which when executed by the one or more processors, cause the system to;
  
  store a value of a secure counter as an expected value within a secure location;
  
  provision a guest operating system to enable a user to remotely access the guest operating system via a network connection, the guest operating system having direct, non-virtualized access to at least one device of a host system;
  
  cause the secure counter to be updated for at least one attempted modification of configuration information for the at least one device;
  
  determine, based at least in part on a current value of the secure counter as compared to the expected value, whether the guest operating system attempted to modify the configuration information for the at least one device; and
  
  perform at least one action with respect to at least one of the host system or the at least one device in response to determining that the current value of the secure counter does not correspond to the expected value.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the user is a customer of a service provider and the host system is operated by the service provider.
  - 3. The system of claim 1, wherein the at least one action includes at least one of re-flashing the at least one device or the host system, limiting access to the at least one device or the host system, isolating the at least one device or the host system, discontinuing a boot process of the at least one device or the host system, performing a validation process for the at least one device or the host system, provisioning the guest operating system on a second host system, resetting the at least one device or the host system, shutting down the host system, or shutting down a user network including the host system.

4. A computer-implemented method, comprising:
- provisioning a guest operating system having direct, non-virtualized access to at least one device of a host system;
  
  causing a counter to be updated for at least one attempted modification of configuration information for the at least one device; and
  
  performing at least one action with respect to at least one of the host system or the at least one device in response to a determination that a value of the counter does not correspond to an expected value,wherein the expected value is stored in a location inaccessible to the guest operating system.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 5. The computer-implemented method of claim 4, further comprising:
    - determining that the configuration information was modified without authorization based at least in part on the determination that the value of the counter does not correspond to the expected value.
  - 6. The computer-implemented method of claim 4, wherein the counter is integrated within at least one of the host system, a network interface card, or along a path between a Peripheral Component Interconnect (PCI) bus and the at least one device.
  - 7. The computer-implemented method of claim 4, further comprising:
    - receiving, from a control plane computer system, a set of configuration information; and
      
      updating the configuration information without updating the counter.
  - 8. The computer-implemented method of claim 4, wherein the at least one action includes indicating that the configuration information of the host system is to be flashed before provisioning a subsequent guest operating system on the host system.
  - 9. The computer-implemented method of claim 4, further comprising:
    - communicating with a provisioning system to transmit the expected value of the counter.
  - 10. The computer-implemented method of claim 4, further comprising:
    - causing at least one second counter to be updated to a second value for each second attempted modification of second configuration information for at least one second device of the host system.
  - 11. The computer-implemented method of claim 10, further comprising:
    - causing a master counter to use the value and the second value to determine a master expected value.
  - 12. The computer-implemented method of claim 11, wherein the master counter corresponds to a rack of servers, the rack of servers including the host system.
  - 13. The computer-implemented method of claim 4, further comprising:
    - encrypting or digitally signing the expected value.
  - 14. The computer-implemented method of claim 4, wherein the expected value is stored in a memory location of the host system or a remote data store.
  - 15. The computer-implemented method of claim 4, wherein the at least one device is at least one of a central processing unit, a graphics processing unit, a disk controller, a network interface card, a PCI bus, a cryptographic card, a hardware codec, a co-processing device, a peripheral device, an input/output chipset, an element on a bus, or a data path routing component.
  - 16. The computer-implemented method of claim 4, wherein the counter is a monotonic counter.
  - 17. The computer-implemented method of claim 4, wherein the configuration information comprises firmware for at least one of a central processing unit, a Basic Input/Output System (BIOS), or a peripheral device.

18. A non-transitory computer-readable storage medium storing instructions for managing configuration of a computing system, the instructions, which when executed by one or more processors, cause the one or more processors to:
- store a first value of a counter as an expected value;
  
  provision a guest operating system having direct, non-virtualized access to at least one device of a host system;
  
  cause the counter to be updated for at least one attempted modification of configuration information for the at least one device;
  
  determine, based at least in part on the first value of the counter, whether the guest operating system attempted to modify the configuration information for the at least one device; and
  
  perform at least one action with respect to at least one of the host system or the at least one device in response to determining that a second value of the counter does not correspond to the expected value.
- View Dependent Claims (19, 20, 21)
- - 19. The non-transitory computer-readable storage medium of claim 18, wherein the expected value is encrypted, digitally signed, or stored in a memory location of the host system or a remote data store that is inaccessible to a user of the guest operating system.
  - 20. The non-transitory computer-readable storage medium of claim 18, wherein a user has applied an authorized modification to the configuration information, and the instructions, which when executed by the one or more processors, further cause the one or more processors to:
    - obtain a notification from the user that the user applied the authorized modification to the configuration information; and
      
      update the expected value of the counter based on the notification.
  - 21. The non-transitory computer-readable storage medium of claim 18, wherein the at least one action includes at least one of re-flashing the at least one device or the host system, limiting access to the at least one device or the host system, isolating the at least one device or the host system, discontinuing a boot process of the at least one device or the host system, performing a validation process for the at least one device or the host system, provisioning the guest operating system on a second host system, resetting the at least one device or the host system, shutting down the host system, or shutting down a user network including the host system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Marr, Michael David, Vincent, Pradeep, Corddry, Matthew T., Hamilton, James R.
Primary Examiner(s)
Alrobaye, Idriss N
Assistant Examiner(s)
YU, HENRY W

Application Number

US14/094,642
Time in Patent Office

484 Days
Field of Search

710/8, 710/15, 710/22, 713/2, 713/189, 713/191, 713/193, 713/201, 717/168, 717/171
US Class Current

710/8
CPC Class Codes

G06F 11/3003   Monitoring arrangements spe...

G06F 11/3051   Monitoring arrangements for...

G06F 21/57   Certifying or maintaining t...

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

G06F 21/577   Assessing vulnerabilities a...

G06F 2201/865   Monitoring of software

G06F 2201/88   Monitoring involving counting

G06F 2221/033   Test or assess software

G06F 8/65   Updates security arrangemen...

H04L 67/10   in which an application is ...

Managing firmware update attempts

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Managing firmware update attempts

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links