Software revocation infrastructure
First Claim
Patent Images
1. A method comprising:
- distributing, over a network, multiple instances of a signed software component to multiple devices, the instances including an identification of a revocation authority;
noting, by a processor of the revocation authority, a vulnerability in a version of the signed software component;
identifying, by the processor of the revocation authority, a first signature that was used to sign the version of the signed software component;
receiving a request, at the processor of the revocation authority, for a revocation message of the signed software component; and
transmitting, by the processor of the revocation authority, the revocation message in response to the request, the revocation message including mitigation information only for the version of the signed software component that is signed by the first signature on one or more of the devices and including a second signature;
wherein the mitigation information includes information to reduce or remove the vulnerability;
wherein the revocation message disables the version of the signed software component until the vulnerability has been mitigated.
1 Assignment
0 Petitions
Accused Products
Abstract
In one implementation, software components include an identity of a revocation authority. Prior to loading of the software in a given platform, the revocation authority is checked for any revocation messages. The revocation authority creates software component specific messages for any software components to be revoked, rather than using certificate revocation or individual licenses. The messages include mitigation information, such as instructions for automatically configuring already installed software without requiring an update or change in code.
33 Citations
19 Claims
-
1. A method comprising:
-
distributing, over a network, multiple instances of a signed software component to multiple devices, the instances including an identification of a revocation authority; noting, by a processor of the revocation authority, a vulnerability in a version of the signed software component; identifying, by the processor of the revocation authority, a first signature that was used to sign the version of the signed software component; receiving a request, at the processor of the revocation authority, for a revocation message of the signed software component; and transmitting, by the processor of the revocation authority, the revocation message in response to the request, the revocation message including mitigation information only for the version of the signed software component that is signed by the first signature on one or more of the devices and including a second signature;
wherein the mitigation information includes information to reduce or remove the vulnerability;
wherein the revocation message disables the version of the signed software component until the vulnerability has been mitigated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. Logic encoded in one or more non-transitory computer-readable media that includes code for execution and when executed by a processor is operable to perform operations comprising:
-
activating, by the processor, a software component on a platform, the software component including a first signature and having a version; verifying, by the processor, that the first signature is valid and rooted in a trusted signing certificate; checking, by the processor, for expiration of the software component; checking, by the processor, for revocation of the version of the software component by a revocation authority, wherein the first signature is used to identify the version of the software component, wherein revocation disables the software component from loading; receiving mitigation information, from the revocation authority, when the version is revoked, the mitigation information including includes information to reduce or remove a vulnerability in the version of the software component; implementing, by the processor, the mitigation information for the software component; and loading, by the processor, the software component. - View Dependent Claims (15, 16, 17, 18)
-
-
19. Logic encoded in one or more non-transitory computer-readable media that includes code for execution and when executed by a processor is operable to perform operations comprising:
-
receiving, by a processor of a revocation authority, a message indicating that a version of software has a vulnerability; identifying, by the processor of a revocation authority, a signature used to sign the version of software; receiving, by the processor of a revocation authority, a request formatted pursuant to a distribution mechanism identified in metadata of the version of software distributing, by the processor of a revocation authority, to a device, a signed revocation message comprising mitigation information for the vulnerability of the version of software signed by the signature, the mitigation information including one or more instructions for automatic mitigation by a platform loading the version of software signed by the signature;
wherein the revocation message disables the device from loading the version of software signed by the signature;
wherein the one or more instructions include instructions to reduce or remove the vulnerability in the version of the software component without changing code of the software.
-
Specification