Secure vault service for software components within an execution environment

US 9,547,772 B2
Filed: 07/03/2014
Issued: 01/17/2017
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A computing platform comprising:

at least one processor that includes hardware and is capable of executing an operating system;

the operating system comprising at least one operating system component capable of determining, at least in part, in response at least in part to at least one event associated at least in part with software, whether to provide the software with an execution environment of the operating system, the determining being based at least in part upon user-definable policy and verification of cryptographic signature information, the cryptographic signature information being obtainable, at least in part, by the at least one operating system component, the cryptographic signature information being associated, at least in part, with integrity verification of the software, the integrity verification being based upon a state associated with the software at time of manufacture of the software, the integrity verification being (1) to detect unauthorized modification of the software from the state at the time of the manufacture and (2) to prevent provision of the execution environment to unrecognized software;

the execution environment, if provided, being associated with at least one access restriction to prevent unauthorized access by at least one unauthorized component, the at least one access restriction being associated at least in part with the software and the cryptographic signature information;

the execution environment being one of multiple possible execution environments that are capable of being provided for multiple respective components in the platform, at least one of the multiple respective components in at least one other of the multiple possible execution environments to be prevented, at least in part, by the at least one operating system component, from accessing the one of the multiple possible execution environments based at least in part upon the user-definable policy and the cryptographic signature information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed.

131 Citations

8 Claims

1. A computing platform comprising:
- at least one processor that includes hardware and is capable of executing an operating system;
  
  the operating system comprising at least one operating system component capable of determining, at least in part, in response at least in part to at least one event associated at least in part with software, whether to provide the software with an execution environment of the operating system, the determining being based at least in part upon user-definable policy and verification of cryptographic signature information, the cryptographic signature information being obtainable, at least in part, by the at least one operating system component, the cryptographic signature information being associated, at least in part, with integrity verification of the software, the integrity verification being based upon a state associated with the software at time of manufacture of the software, the integrity verification being (1) to detect unauthorized modification of the software from the state at the time of the manufacture and (2) to prevent provision of the execution environment to unrecognized software;
  
  the execution environment, if provided, being associated with at least one access restriction to prevent unauthorized access by at least one unauthorized component, the at least one access restriction being associated at least in part with the software and the cryptographic signature information;
  
  the execution environment being one of multiple possible execution environments that are capable of being provided for multiple respective components in the platform, at least one of the multiple respective components in at least one other of the multiple possible execution environments to be prevented, at least in part, by the at least one operating system component, from accessing the one of the multiple possible execution environments based at least in part upon the user-definable policy and the cryptographic signature information.
- View Dependent Claims (2, 3, 4)
- - 2. The computing platform of claim 1, wherein:
    - the computing platform comprises storage;
      
      the storage comprises flash storage and disk drive storage; and
      
      the cryptographic signature information is associated at least in part with a signature of stored content associated with the software; and
      
      in operation of the platform, the stored content is to be stored, at least in part, in the storage prior to the at least one event.
  - 3. The computing platform of claim 1, wherein:
    - the at least one event comprises loading into memory of stored content associated with the software.
  - 4. The computing platform of claim 1, wherein:
    - the at least one processor comprises at least one multicore processor.

5. One or more non-transitory machine-readable media storing instructions that when executed by at least one processor result in performance of operations comprising:
- executing an operating system;
  
  the operating system comprising at least one operating system component capable of determining, at least in part, in response at least in part to at least one event associated at least in part with software, whether to provide the software with an execution environment of the operating system, the determining being based at least in part upon user-definable policy and verification of cryptographic signature information, the cryptographic signature information being obtainable, at least in part, by the at least one operating system component, the cryptographic signature information being associated, at least in part, with integrity verification of the software, the integrity verification being based upon a state associated with the software at time of manufacture of the software, the integrity verification being (1) to detect unauthorized modification of the software from the state at the time of the manufacture and (2) to prevent provision of the execution environment to unrecognized software;
  
  the execution environment, if provided, being associated with at least one access restriction to prevent unauthorized access by at least one unauthorized component, the at least one access restriction being associated at least in part with the software and the cryptographic signature information;
  
  the execution environment being one of multiple possible execution environments that are capable of being provided for multiple respective components in the platform, at least one of the multiple respective components in at least one other of the multiple possible execution environments to be prevented, at least in part, by the at least one operating system component, from accessing the one of the multiple possible execution environments based at least in part upon the user-definable policy and the cryptographic signature information.
- View Dependent Claims (6, 7, 8)
- - 6. The one or more non-transitory machine-readable media of claim 5, wherein:
    - a computing platform comprises;
      
      the at least one processor; and
      
      storage capable of storing the operating system;
      
      the storage comprises flash storage and disk drive storage; and
      
      the cryptographic signature information is associated at least in part with a signature of stored content associated with the software; and
      
      in operation of the platform, the stored content is to be stored, at least in part, in the storage prior to the at least one event.
  - 7. The one or more non-transitory machine-readable media of claim 5, wherein:
    - the at least one event comprises loading into memory of stored content associated with the software.
  - 8. The one or more non-transitory machine-readable media of claim 5, wherein:
    - the at least one processor comprises at least one multicore processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Durham, David M, Khosravi, Hormuzd M, Blumenthal, Uri, Long, Men
Primary Examiner(s)
Traore, Fatoumata

Application Number

US14/323,076
Publication Number

US 20150074419A1
Time in Patent Office

929 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 12/1466   Key-lock mechanism

G06F 12/1475   in a virtual system, e.g. w...

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/6209   to a single file or object,...

Secure vault service for software components within an execution environment

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

131 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Secure vault service for software components within an execution environment

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links