Identification and execution of subsets of a plurality of instructions in a more secure execution environment

US 9,465,946 B2
Filed: 06/01/2012
Issued: 10/11/2016
Est. Priority Date: 06/01/2012
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium having computer-readable code embodied therein, the computer-readable code configured to enable a computing device, in response to execution of the code, to:

identify and encrypt a first subset of a first plurality of instructions, wherein the first subset comprises a basic block including a second plurality of instructions of the first plurality of instructions, wherein the basic block includes only a single entry point and only a single exit point, to enable one or more instructions of the first plurality of instructions that precede or follow the first subset to be executed in a first execution environment with a first security level, and to enable the first subset to be executed in a second execution environment with a second security level that is more secure than the first security level;

identify and encrypt a second subset; and

concatenate the first and second subsets, the first and second subsets to be executed in the second execution environment; and

generate an index of the concatenated first and second subsets, the index to include a relative virtual address associated with at least one of the first and second subsets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein for identifying and encrypting a subset of a plurality of instructions, for execution in a more secure execution environment. In various embodiments, the subset may include a single entry point and a single exit point. In various embodiments, one or more instructions of the plurality of instructions that precede or follow the subset may be executed in a first execution environment with a first security level. In various embodiments, the subset may be executed in a second execution environment with a second security level that is more secure than the first security level.

18 Citations

19 Claims

1. At least one non-transitory computer-readable medium having computer-readable code embodied therein, the computer-readable code configured to enable a computing device, in response to execution of the code, to:
- identify and encrypt a first subset of a first plurality of instructions, wherein the first subset comprises a basic block including a second plurality of instructions of the first plurality of instructions, wherein the basic block includes only a single entry point and only a single exit point, to enable one or more instructions of the first plurality of instructions that precede or follow the first subset to be executed in a first execution environment with a first security level, and to enable the first subset to be executed in a second execution environment with a second security level that is more secure than the first security level;
  
  identify and encrypt a second subset; and
  
  concatenate the first and second subsets, the first and second subsets to be executed in the second execution environment; and
  
  generate an index of the concatenated first and second subsets, the index to include a relative virtual address associated with at least one of the first and second subsets.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The at least one computer-readable medium of claim 1, wherein the code, in response to execution by the computing device, further enables the computing device to associate, with the first subset, one or more instructions to return execution from the second execution environment to the first execution environment.
  - 3. The at least one computer-readable medium of claim 1, wherein the code, in response to execution by the computing device, further enables the computing device to add, to the first plurality of instructions before the first subset, one or more instructions to initialize the second execution environment.
  - 4. The at least one computer-readable medium of claim 1, wherein the code, in response to execution by the computing device, further enables the computing device to add, to the first plurality of instructions, one or more instructions to preserve an execution context prior to redirection of execution from the first execution environment to the second execution environment.
  - 5. The at least one computer-readable medium of claim 4, wherein the code, in response to execution by the computing device, further enables the computing device to add, to the first plurality of instructions, one or more instructions to restore the execution context after execution returns to the first execution environment from the second execution environment.
  - 6. The at least one computer-readable medium of claim 1, wherein the code, in response to execution by the computing device, further enables the computing device to generate an index of the concatenated first and second subsets, the index to include a size and offset associated with at least one of the first and second subsets.
  - 7. The at least one computer-readable medium of claim 1, wherein the code, in response to execution by the computing device, further enables the computing device to generate a dispatcher routine to be invoked upon redirection of execution into the second execution environment, the dispatcher routine to invoke the first subset and redirect execution back to the first execution environment after execution of the second subset.

8. At least one non-transitory computer-readable medium having computer-readable code embodied therein, the computer-readable code comprising:
- a first set of instructions to be executed in a first execution environment of a computing device with a first security level;
  
  a second set of instructions, that includes a plurality of instructions, wherein the plurality of instructions includes only a single entry point and only a single exit point, to be executed in a second execution environment of the computing device with a second security level that is more secure than the first security level;
  
  a third set of instructions, that includes a single entry point and a single exit point, to be executed in the second execution environment, wherein the second and third sets of instructions are encrypted and concatenated; and
  
  an index of the concatenated second and third sets of instructions that comprises a relative virtual address associated with at least one of the second and third sets; and
  
  wherein the first set of instructions includes at least one instruction to redirect execution to the second execution environment and at least one instruction to preserve an execution context prior to redirection of execution to the second execution environment, and wherein the second set of instructions includes at least one instruction to restore the execution context.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The at least one computer-readable medium of claim 8, wherein the first set of instructions includes, prior to the at least one instruction to redirect execution to the second execution environment, one or more instructions to initialize the second execution environment.
  - 10. The at least one computer-readable medium of claim 8, wherein the index further comprises a size and offset associated with at least one of the first and second sets.
  - 11. The at least one computer-readable medium of claim 8, further comprising one or more instructions that form a dispatcher routine, the dispatcher routine to be invoked upon redirection of execution into the second execution environment, the dispatcher routine to invoke the second set of instructions and redirect execution back to the first execution environment after execution of the second set of instructions.
  - 12. The at least one computer-readable medium of claim 11, wherein the second set of instructions is encrypted, the medium further comprising one or more instructions that form an initializer routine to be executed in the second execution environment, the initializer routine to decrypt the second set of instructions.
  - 13. The at least one computer-readable medium of claim 12, wherein the dispatcher routine includes one or more instructions to restore an execution context prior to invocation of the second set of instructions and to preserve the execution context after execution of the second set of instructions.

14. A computer-implemented method, comprising:
- identifying and extracting, by a computing device, a first subset of a first plurality of instructions, wherein the first subset comprises a basic block including a second plurality of instructions, wherein the basic block includes only a single entry point and only a single exit point;
  
  adding, by the computing device, to the first plurality of instructions in place of the extracted first subset, one or more instructions to redirect execution from a first execution environment with a first security level to a second execution environment with a second security level that is more secure than the first security level;
  
  adding, by the computing device, the first subset to a third plurality of instructions to be executed in the second execution environment, wherein the first plurality of instructions is to be executed in the first execution environment;
  
  encrypting, by the computing device, the first subset;
  
  identifying and encrypting, by the computing device, a second subset of the plurality of instructions; and
  
  concatenating, by the computing device, the first and second subsets;
  
  generating, by the computing device, an index of the concatenated first and second subsets, the index to include a relative virtual address associated with at least one of the first and second subsets; and
  
  adding, by the computing device, to the third plurality of instructions, one or more instructions to redirect execution from the second execution environment to the first execution environment.
- View Dependent Claims (15, 16)
- - 15. The computer-implemented method of claim 14, further comprising adding, by the computing device, to the first plurality of instructions before the one or more instructions to redirect execution from the first execution environment to the second execution environment, one or more instructions to initialize the second execution environment.
  - 16. The computer-implemented method of claim 14, further comprising adding, by the computing device, to the first plurality of instructions before the one or more instructions to redirect execution from the first execution environment to the second execution environment, one or more instructions to preserve an execution context.

17. A system, comprising:
- one or more processing units;
  
  a memory operably coupled to the one or more processing units;
  
  a first execution environment having a first security level;
  
  a second execution environment having a second security level that is more secure than the first security level; and
  
  a software converter to be operated by the one or more processing units and configured to;
  
  identify and encrypt a first subset of a first plurality of instructions suitable for execution in the second execution environment, to enable one or more instructions of the first plurality of instructions that precede or follow the subset to be executed in the first execution environment, to enable the first subset to be executed in the second execution environment;
  
  identify and encrypt a second subset; and
  
  concatenate the first and second subsets, the first and second subsets to be executed in the second execution environment;
  
  generate an index of the concatenated first and second subsets, the index to include a relative virtual address associated with at least one of the first and second subsets; and
  
  add, to the first plurality of instructions which are before the first subset, one or more instructions to preserve an execution context prior to redirection of execution from the first execution environment to the second execution environment;
  
  wherein the subset comprises a basic block including a second plurality of instructions of the first plurality of instructions, wherein the basic block includes only a single entry point and only a single exit point.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, wherein the software converter is further configured to add, to the first plurality of instructions following the first subset, one or more instructions to initialize the second execution environment.
  - 19. The system of claim 17, further comprising a touch screen display.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Goffman, Sergei, Berenzon, Alex, Lenz, Oron, Devor, Tevi, Zhang, Bo, Zahavi, Yoram, Maor, Moshe
Primary Examiner(s)
Hailu, Teshome

Application Number

US13/997,899
Publication Number

US 20140047245A1
Time in Patent Office

1,593 Days
Field of Search

713/190
US Class Current

1/1
CPC Class Codes

G06F 21/125   by manipulating the program...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/602   Providing cryptographic fac...

Identification and execution of subsets of a plurality of instructions in a more secure execution environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Identification and execution of subsets of a plurality of instructions in a more secure execution environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others