Secure vault service for software components within an execution environment
First Claim
Patent Images
1. A computing platform comprising:
- at least one processor capable of executing at least one operating system of the computing platform;
the computing platform being capable of executing, at least in part, at least one virtual machine monitor (VMM), the computing platform also comprising at least one module;
the at least one VMM being capable of providing, at least in part, multiple execution environments of the platform, the at least one VMM also being capable of controlling, at least in part, access by at least one component to at least one other component, the at least one component to be executed in at least one of the multiple execution environments, the at least one other component to be executed in at least one other of the multiple execution environments, the controlling of the access being based at least in part upon policy;
the at least one module being implemented, at least in part, by hardware;
the at least one module being associated, at least in part, with periodic verification of integrity of at least one kernel component during execution of the at least one kernel component in the platform, the verification being for detecting, at least in part, unauthorized modification of the at least one kernel component, the verification being capable of resulting in a verification result that reflects a degree of integrity verification between pass and fail, a failure of the verification resulting, at least in part, in an alert; and
the platform also being capable, at least in part, of encrypting, based at least in part upon at least one encryption key, data stored in the platform and associated with at least one of the multiple execution environments.
0 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed.
-
Citations
17 Claims
-
1. A computing platform comprising:
-
at least one processor capable of executing at least one operating system of the computing platform; the computing platform being capable of executing, at least in part, at least one virtual machine monitor (VMM), the computing platform also comprising at least one module; the at least one VMM being capable of providing, at least in part, multiple execution environments of the platform, the at least one VMM also being capable of controlling, at least in part, access by at least one component to at least one other component, the at least one component to be executed in at least one of the multiple execution environments, the at least one other component to be executed in at least one other of the multiple execution environments, the controlling of the access being based at least in part upon policy; the at least one module being implemented, at least in part, by hardware; the at least one module being associated, at least in part, with periodic verification of integrity of at least one kernel component during execution of the at least one kernel component in the platform, the verification being for detecting, at least in part, unauthorized modification of the at least one kernel component, the verification being capable of resulting in a verification result that reflects a degree of integrity verification between pass and fail, a failure of the verification resulting, at least in part, in an alert; and the platform also being capable, at least in part, of encrypting, based at least in part upon at least one encryption key, data stored in the platform and associated with at least one of the multiple execution environments. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. At least one machine-readable memory storing instructions that when executed by at least one machine result in performance of operations comprising:
-
executing, at least in part, by a computing platform, at least one virtual machine monitor (VMM); the at least one computing platform to be associated, at least in part, with at least one module; the at least one VMM being capable of providing, at least in part, multiple execution environments of the platform, the at least one VMM also being capable of controlling, at least in part, access by at least one component to at least one other component, the at least one component to be executed in at least one of the multiple execution environments, the at least one other component to be executed in at least one other of the multiple execution environments, the controlling of the access being based at least in part upon policy; the at least one module being implemented, at least in part, by hardware; the at least one module being associated, at least in part, with periodic verification of integrity of at least one kernel component during execution of the at least one kernel component in the platform, the verification being for detecting, at least in part, unauthorized modification of the at least one kernel component, the verification being capable of resulting in a verification result that reflects a degree of integrity verification between pass and fail, a failure of the verification resulting, at least in part, in an alert; and the platform also being capable, at least in part, of encrypting, based at least in part upon at least one encryption key, data stored in the platform and associated with at least one of the multiple execution environments. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeIntel Corporation
-
Original AssigneeIntel Corporation
-
InventorsDurham, David M., Khosravi, Hormuzd M., Blumenthal, Uri, Long, Men
-
Primary Examiner(s)Traore, Fatoumata
-
Application NumberUS14/557,079Publication NumberTime in Patent Office554 DaysField of SearchNoneUS Class Current1/1CPC Class CodesG06F 12/1408 by using cryptography for d...G06F 12/1466 Key-lock mechanismG06F 12/1475 in a virtual system, e.g. w...G06F 21/52 during program execution, e...G06F 21/53 by executing in a restricte...G06F 21/6209 to a single file or object,...
