Secure virtual machine manager

US 8,996,885 B2
Filed: 10/02/2009
Issued: 03/31/2015
Est. Priority Date: 10/02/2008
Status: Active Grant

First Claim

Patent Images

1. A secure processing system comprising:

a host processor;

a virtual machine instantiated on the host processor;

a virtual unified security hub (USH) instantiated on the virtual machine, wherein the virtual USH emulates a hardware-based USH and provides a plurality of security services to an application executing on the host processor; and

a plurality of authentication input devices coupled to the virtual USH, wherein each of the plurality of authentication input devices are included in a separate integrated circuit chip coupled to the host processor;

wherein the virtual machine includes an application programming interface (API) configured to expose the plurality of secure services provided by the virtual USH to the application and the API is configured to provide, to a plurality of applications, a unified interface for enrolling or provisioning a user credential in a credential container.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure processing systems providing host-isolated security are provided. An exemplary secure processing system includes a host processor and a virtual machine instantiated on the host processor. A virtual unified security hub (USH) is instantiated on the virtual machine to provide security services to applications executing on the host processor. The virtual USH may further include an application programming interface (API) operable to expose the security services to the applications. A further exemplary secure processing system includes a host processor running a windows operating system for example, a low power host processor, and a USH processor configured to provide secure services to both the host processor and the low power host processor isolating the secure services from the host processor and the low power processor. The USH processor may also include an API to expose the security services to applications executing on the host processor and/or the low power host processor.

14 Citations

View as Search Results

63 Claims

1. A secure processing system comprising:
- a host processor;
  
  a virtual machine instantiated on the host processor;
  
  a virtual unified security hub (USH) instantiated on the virtual machine, wherein the virtual USH emulates a hardware-based USH and provides a plurality of security services to an application executing on the host processor; and
  
  a plurality of authentication input devices coupled to the virtual USH, wherein each of the plurality of authentication input devices are included in a separate integrated circuit chip coupled to the host processor;
  
  wherein the virtual machine includes an application programming interface (API) configured to expose the plurality of secure services provided by the virtual USH to the application and the API is configured to provide, to a plurality of applications, a unified interface for enrolling or provisioning a user credential in a credential container.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. The secure processing system of claim 1, wherein the secure processing system includes a USH processor coupled to the host processor.
  - 3. The secure processing system of claim 1, wherein the secure processing system includes a USH processor coupled to the host processor over a communications network.
  - 4. The secure processing system of claim 1, wherein the secure processing system includes a USH processor coupled to the host processor via a hardware token.
  - 5. The secure processing system of claim 1, further comprising:
    - a user input device coupled to the virtual USH, wherein input data entered by the user input device is received at the virtual USH directly from the user input device.
  - 6. The secure processing system of claim 5, wherein the virtual USH is configured to determine whether to release the input data to the host processor.
  - 7. The secure processing system of claim 5, wherein the virtual USH is configured to encrypt the input data prior to release to the host processor.
  - 8. The secure processing system of claim 5, wherein the user input device is a keyboard.
  - 9. The secure processing system of claim 5, wherein the user input device is a biometric authentication device.
  - 10. The secure processing system of claim 5, wherein the user input device is a smart card containing user authentication data.
  - 11. The secure processing system of claim 1, further comprising:
    - a secure storage.
  - 12. The secure processing system of claim 11, wherein the virtual USH obtains data from the secure storage and stores data to the secure storage.
  - 13. The secure processing system of claim 11, wherein the secure storage is a trusted platform module.
  - 14. The secure processing system of claim 11, wherein the secure storage is a hardware token.
  - 15. The secure processing system of claim 1, further comprising:
    - a plurality of additional virtual machines instantiated on the host processor, wherein the virtual USH provides a common authentication engine for each of the plurality of additional virtual machines.
  - 16. The secure processing system of claim 1, wherein the plurality of applications includes a plurality of authentication applications.
  - 17. The secure processing system of claim 16, wherein an authentication input for the plurality of authentication applications is provided by a contactless smart card.
  - 18. The secure processing system of claim 16, wherein an authentication input for the plurality of authentication applications is provided by a contacted smart card.
  - 19. The secure processing system of claim 1, wherein an application in the plurality of applications is executing on a processor external to the secure processing system.
  - 20. The secure processing system of claim 1, wherein the credential container includes the user credential and an associated security policy.
  - 21. The secure processing system of claim 1, wherein the API is further configured to make the credential container including an enrolled credential for a user available to a plurality of applications executing on the host processor.
  - 22. The secure processing system of claim 1, wherein the user credential includes a biometric template.
  - 23. The secure processing system of claim 22, wherein the biometric template is a fingerprint template.
  - 24. The secure processing system of claim 1, wherein the user credential includes a human interface device identifier.
  - 25. The secure processing system of claim 1, wherein an application in the plurality of applications is executing on a processor external to the secure processing system.
  - 26. The secure processing system of claim 1, wherein the credential container includes the user credential and an associated security policy.
  - 27. The secure processing system of claim 1, wherein the API is further configured to make the credential container including a provisioned credential for a user available to a plurality of applications executing on the host processor.
  - 28. The secure processing system of claim 1, wherein the plurality of security services includes data encryption.
  - 29. The secure processing system of claim 1, wherein the plurality of security services includes user authentication.
  - 30. The secure processing system of claim 29, wherein the plurality of security services includes fingerprint matching.
  - 31. The secure processing system of claim 1, wherein the plurality of security services includes an antivirus application.

32. A secure processing system comprising:
- a host processor;
  
  a low power host processor coupled to the host processor; and
  
  a unified security hub (USH) processor coupled to the host processor and the low power host processor, wherein the USH processor is configured to provide a plurality of security services to the host processor and the low power host processor, and wherein the plurality of security services are isolated from the host processor and the low power host processor.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
- - 33. The secure processing system of claim 32, wherein the USH processor includes an application programming interface (API) configured to expose a plurality of secure services provided by the USH processor to a plurality of applications executing on the host processor.
  - 34. The secure processing system of claim 32, further comprising a virtual machine instantiated on the host processor, wherein the virtual machine includes an application programming interface (API) configured to expose a plurality of secure services provided by the USH processor to a plurality of applications executing on the low power host processor.
  - 35. The secure processing system of claim 32, wherein the USH processor includes an application programming interface (API) configured to provide, to a plurality of applications, a unified interface for enrolling a user credential in a credential container.
  - 36. The secure processing system of claim 35, wherein the plurality of applications includes a plurality of authentication applications.
  - 37. The secure processing system of claim 36, wherein the plurality of authentication applications are each included in a separate integrated circuit chip coupled to the host processor.
  - 38. The secure processing system of claim 36, wherein an authentication application in the plurality of authentication applications is provided by a contactless smart card.
  - 39. The secure processing system of claim 36, wherein an authentication application in the plurality of authentication applications is provided by a contacted smart card.
  - 40. The secure processing system of claim 35, wherein an application in the plurality of applications is executing on a processor external to the secure processing system.
  - 41. The secure processing system of claim 35, wherein the credential container includes the user credential and an associated security policy.
  - 42. The secure processing system of claim 41, wherein the user credential includes a biometric template.
  - 43. The secure processing system of claim 42, wherein the biometric template is a fingerprint template.
  - 44. The secure processing system of claim 35, wherein the API is further configured to make the credential container including an enrolled credential for a user available to a plurality of applications executing on the host processor.
  - 45. The secure processing system of claim 35, wherein the user credential includes a biometric template.
  - 46. The secure processing system of claim 45, wherein the biometric template is a fingerprint template.
  - 47. The secure processing system of claim 35, wherein the user credential includes a human interface device identifier.
  - 48. The secure processing system of claim 32, further comprising:
    - a plurality of virtual machines instantiated on the host processor, wherein the USH processor provides a common authentication engine to each of the plurality of virtual machines.
  - 49. The secure processing system of claim 32, wherein the USH processor provides a common authentication engine for an application executing on the host processor and an application executing on the low power host processor.
  - 50. The secure processing system of claim 32, wherein the USH processor includes an application programming interface (API) configured to provide, to a plurality of applications, a unified interface for provisioning a user credential to a credential container.
  - 51. The secure processing system of claim 50, wherein an application in the plurality of applications is executing on a processor external to the secure processing system.
  - 52. The secure processing system of claim 50, wherein the credential container includes the user credential and an associated security policy.
  - 53. The secure processing system of claim 50, wherein the API is further configured to make the credential container including a provisioned credential for a user available to a plurality of applications executing on the host processor.
  - 54. The secure processing system of claim 32, wherein the plurality of security services includes data encryption.
  - 55. The secure processing system of claim 32, wherein the plurality of security services includes user authentication.
  - 56. The secure processing system of claim 32, wherein the plurality of security services includes fingerprint matching.
  - 57. The secure processing system of claim 32. wherein the plurality of security services includes an antivirus application.
  - 58. The secure processing system of claim 32, further comprising:
    - a user input device coupled to the USH processor, wherein input data entered by the user input device is received at the USH processor directly from the user input device.
  - 59. The secure processing system of claim 58, wherein the USH processor is configured to determine whether to release the input data to the host processor.
  - 60. The secure processing system of claim 58, wherein the USH processor is configured to encrypt the input data prior to release to the host processor.
  - 61. The secure processing system of claim 58, wherein the user device is a keyboard.
  - 62. The secure processing system of claim 58, wherein the user device is a biometric authentication device.
  - 63. The secure processing system of claim 58, wherein the user device is a smart card containing user authentication data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Buer, Mark
Primary Examiner(s)
Traore, Fatoumata

Application Number

US12/573,029
Publication Number

US 20100115291A1
Time in Patent Office

2,006 Days
Field of Search

None
US Class Current

713/192
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 21/72   in cryptographic circuits

Secure virtual machine manager

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

63 Claims

Specification

Use Cases

Quick Links

Others

Secure virtual machine manager

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

63 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others