Secure application attestation using dynamic measurement kernels
First Claim
Patent Images
1. A method comprising:
- receiving an attestation request at an application from a third party;
loading an attestation kernel into a storage unit in response to the attestation request, wherein code stored in the storage unit is allowed to access memory outside of the storage unit whereas code stored outside of the storage unit is blocked from accessing any memory location in the storage unit;
executing one or more operations at hardware logic, corresponding to the attestation request and in accordance with data stored in the storage unit, to generate a manifest, wherein the hardware logic executes the one or more operations in response to a transmission from a virtual machine manager logic, wherein the transmission is generated by the virtual machine manager logic in response to the attestation request;
generating an attestation of data stored in the storage unit;
verifying a state of the application based on the generated attestation of the data stored in the storage unit and the manifest;
generating a statement of application measurement based on a hash of the manifest; and
transmitting the application measurement, the manifest, and the attestation data to both the application and the third party.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparatus to provide secure application attestation using dynamic measurement kernels are described. In some embodiments, secure application attestation is provided by using dynamic measurement kernels. In various embodiments, P-MAPS (Processor-Measured Application Protection Service), Secure Enclaves (SE), and/or combinations thereof may be used to provide dynamic measurement kernels to support secure application attestation. Other embodiments are also described.
163 Citations
28 Claims
-
1. A method comprising:
-
receiving an attestation request at an application from a third party; loading an attestation kernel into a storage unit in response to the attestation request, wherein code stored in the storage unit is allowed to access memory outside of the storage unit whereas code stored outside of the storage unit is blocked from accessing any memory location in the storage unit; executing one or more operations at hardware logic, corresponding to the attestation request and in accordance with data stored in the storage unit, to generate a manifest, wherein the hardware logic executes the one or more operations in response to a transmission from a virtual machine manager logic, wherein the transmission is generated by the virtual machine manager logic in response to the attestation request; generating an attestation of data stored in the storage unit; verifying a state of the application based on the generated attestation of the data stored in the storage unit and the manifest; generating a statement of application measurement based on a hash of the manifest; and transmitting the application measurement, the manifest, and the attestation data to both the application and the third party. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer-readable medium comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations to:
-
receive an attestation request at an application from a third party; load an attestation kernel into a storage unit in response to the attestation request, wherein code stored in the storage unit is allowed to access memory outside of the storage unit whereas code stored outside of the storage unit is blocked from accessing any memory location in the storage unit; execute one or more operations, corresponding to the attestation request and in accordance with data stored in the storage unit, to generate a manifest, wherein the processor executes the one or more operations in response to a transmission from a virtual machine manager logic, wherein the transmission is generated by the virtual machine manager logic in response to the attestation request; generate an attestation of data stored in the storage unit; verify a state of the application based on the generated attestation of the data stored in the storage unit and the manifest; generate a statement of application measurement based on a hash of the manifest; and transmit the application measurement, the manifest, and the attestation data to both the application and the third party. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
memory to store one or more instructions corresponding to a container; and a processor, having hardware logic, to execute the one or more instructions to; receive an attestation request at an application from a third party; load an attestation kernel into a storage unit in response to the attestation request, wherein code stored in the storage unit is allowed to access memory outside of the storage unit whereas code stored outside of the storage unit is blocked from accessing any memory location in the storage unit; execute one or more operations, corresponding to the attestation request and in accordance with data stored in the storage unit, to generate a manifest, wherein the processor executes the one or more operations in response to a transmission from a virtual machine manager logic, wherein the transmission is generated by the virtual machine manager logic in response to the attestation request; generate an attestation of data stored in the storage unit; verify a state of the application based on the generated attestation of the data stored in the storage unit and the manifest; generate a statement of application measurement based on a hash of the manifest; and transmit the application measurement, the manifest, and the attestation data to both the application and the third party. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
-
Specification