Execution stack securing process

US 9,135,436 B2
Filed: 10/19/2012
Issued: 09/15/2015
Est. Priority Date: 10/19/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

separating, by a computing device, an image into a plurality of layers to form a trusted execution stack, each layer comprising a plurality of components combined into a logical grouping; and

hardening, by the computing device, each of the plurality of layers of the trusted execution stack, whereinthe hardening of the plurality of layers comprises digitally signing the respective logical grouping into the respective layer and applying a digital signature of each of the plurality of layers to a next layer in the plurality of layers such that each of the plurality of layers are authenticated in an order when loading the trusted execution stack, and the plurality of layers comprises hardware and software layers, and whereinthe hardening of each of the plurality of layers further comprises attesting firmware, hardware, reconfiguration hardware, hardware emulators, at least one host operating system, and at least one hypervisor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach to securing an execution stack (or cloud architecture) is provided. For example, an image is separated into a plurality of layers to form a trusted execution stack. Each of the plurality of layers is hardened to secure key cloud components of the trusted execution stack.

46 Citations

View as Search Results

19 Claims

1. A computer-implemented method, comprising:
- separating, by a computing device, an image into a plurality of layers to form a trusted execution stack, each layer comprising a plurality of components combined into a logical grouping; and
  
  hardening, by the computing device, each of the plurality of layers of the trusted execution stack, whereinthe hardening of the plurality of layers comprises digitally signing the respective logical grouping into the respective layer and applying a digital signature of each of the plurality of layers to a next layer in the plurality of layers such that each of the plurality of layers are authenticated in an order when loading the trusted execution stack, and the plurality of layers comprises hardware and software layers, and whereinthe hardening of each of the plurality of layers further comprises attesting firmware, hardware, reconfiguration hardware, hardware emulators, at least one host operating system, and at least one hypervisor.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the plurality of layers further comprise a layer for hardware and firmware, a layer for host operating systems and drivers, hypervisors, and virtual machine managers, a layer for guest operating systems and drivers, hardware emulators, and system software, and a layer for application software and network software.
  - 3. The computer-implemented method of claim 1, wherein the hardening of each of the plurality of layers comprises securing at least one virtual machine manager.
  - 4. The computer-implemented method of claim 1, wherein the hardening of each of the plurality of layers comprises securing at least one hypervisor and a host operating system.
  - 5. The computer-implemented method of claim 1, wherein the hardening of each of the plurality of layers comprises whitelisting a guest operating system, a host operating system, and at least one application used by the guest operating system, the host operating system, or both.
  - 6. The computer-implemented method of claim 1, wherein the hardening of each of the plurality of layers comprises sandboxing application software to create a confined execution environment.
  - 7. The computer-implemented method of claim 1, wherein the plurality of layers are hardened for a client device, a server, or both.

8. An apparatus, comprising:
- at least one processor; and
  
  memory comprising instructions, whereinthe instructions, when executed by the at least one processor, are configured to cause the apparatus to;
  
  separate an image into a plurality of layers to form a trusted execution stack;
  
  harden each of the plurality of layers of the trusted execution stack;
  
  apply a digital signature of each of the plurality of layers to a next layer in the plurality of layers such that each of the plurality of layers are authenticated in an order when loading the trusted execution stack;
  
  digitally sign the entire trusted execution stack by applying one final signature across an entire enterprise layer of the plurality of layers as a multitude of signatures to ensure that each individual layer is trusted in the trusted execution stack, wherein the plurality of layers comprises hardware and software layers, andattest firmware, hardware, reconfiguration hardware, hardware emulators, at least one host operating system, and at least one hypervisor.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the plurality of layers comprise a layer for hardware and firmware, a layer for host operating systems and drivers, hypervisors, and virtual machine managers, a layer for guest operating systems and drivers, hardware emulators, and system software, and a layer for application software and network software.
  - 10. The apparatus of claim 8, wherein the instructions, when executed by the at least one processor, are further configured to cause the apparatus to secure at least one virtual machine manager.
  - 11. The apparatus of claim 8, wherein the instructions, when executed by the at least one processor, are further configured to cause the apparatus to secure at least one hypervisor and a host operating system.
  - 12. The apparatus of claim 8, wherein the instructions, when executed by the at least one processor, are further configured to cause the apparatus to whitelist a guest operating system, a host operating system, and at least one application used by the guest operating system, the host operating system, or both.
  - 13. The apparatus of claim 8, wherein the instructions, when executed by the at least one processor, are further configured to cause the apparatus to sandbox application software to create a confined execution environment.
  - 14. The apparatus of claim 8, wherein the plurality of layers are hardened for a client device, a server, or both.

15. A computer-implemented method, comprising:
- separating, by a computing device, an image of a device into a plurality of layers to create a trusted execution stack, each layer comprising a plurality of components combined into a logical grouping; and
  
  hardening, by the computing device, each of the plurality of layers to secure the trusted execution stack, whereinthe hardening of each of the plurality of layers comprises digitally signing the respective logical grouping into the respective layer and applying a digital signature of each of the plurality of layers to a next layer in the plurality of layers such that each of the plurality of layers are authenticated in an order when loading the trusted execution stack, andthe plurality of layers comprises hardware and software layers, and wherein the hardening of each of the plurality of layers comprises attesting bare metal components, hosted components, or both.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-implemented method of claim 15, wherein the hardening of each of the plurality of layers comprises securing bare metal components, hosted components, or both.
  - 17. The computer-implemented method of claim 15, wherein the hardening of each of the plurality of layers comprises whitelisting at least one guest operating system, at least one host operating system, and at least one application.
  - 18. The computer-implemented method of claim 15, wherein the hardening of each of the plurality of layers comprises sandboxing at least one application to confine changes in a computing environment.
  - 19. The computer-implemented method of claim 15, wherein the hardening of each of the plurality of layers comprises signing, using a digital signature, bare metal components, hosted components, at least one application, or any combination of the bare metal components, hosted components, and the at least one application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Aerospace Corporation
Original Assignee
Aerospace Corporation
Inventors
Lee, Richard M.
Primary Examiner(s)
CHANG, KENNETH W

Application Number

US13/656,495
Publication Number

US 20140115689A1
Time in Patent Office

1,061 Days
Field of Search

726/16
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2149   Restricted operating enviro...

Execution stack securing process

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

46 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Execution stack securing process

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links