System and method for an endpoint hardware assisted network firewall in a security environment

US 9,560,014 B2
Filed: 01/23/2013
Issued: 01/31/2017
Est. Priority Date: 01/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a tamper resistant environment on a host from a virtualization environment of the host, information associated with an application executing on the host;

receiving a traffic flow at the tamper resistant environment from the application, wherein the tamper resistant environment is separated from an operating system of the host;

creating a modified traffic flow by applying a security token to the received traffic flow and by adding the information to the received traffic flow; and

sending the modified traffic flow to a server.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment and includes receiving a traffic flow at a tamper resistant environment from an application, where the tamper resistant environment is separated from a host operating system. The method also includes applying a security token to the traffic flow and sending the traffic flow to a server. In specific embodiments, a security module may add information about the application to traffic flow. A trapping module may monitor for a memory condition and identify the memory condition. The trapping module may also, responsive to identifying the memory condition, initiate a virtual environment for the application, and check the integrity of the traffic flow.

Citations

20 Claims

1. A method comprising:
- receiving, at a tamper resistant environment on a host from a virtualization environment of the host, information associated with an application executing on the host;
  
  receiving a traffic flow at the tamper resistant environment from the application, wherein the tamper resistant environment is separated from an operating system of the host;
  
  creating a modified traffic flow by applying a security token to the received traffic flow and by adding the information to the received traffic flow; and
  
  sending the modified traffic flow to a server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, where the security token is derived from an enhanced privacy identification to attest that the tamper resistant environment is trusted.
  - 3. The method of claim 1, wherein the security token is derived by the tamper resistant environment, wherein the information added to the received traffic flow includes metadata and wherein applying the security token to the received traffic flow comprises:
    - digitally signing the metadata using public key cryptography.
  - 4. The method of claim 1, further comprising:
    - monitoring a memory of the host for a memory condition;
      
      identifying the memory condition;
      
      assigning the application to a virtual machine in the virtualization environment based, at least in part, on identifying the memory condition;
      
      trapping, in the virtualization environment, process events associated with the traffic flow; and
      
      checking the integrity of the traffic flow before the traffic flow is delivered to the tamper resistant environment.
  - 5. The method of claim 1, further comprising:
    - monitoring a memory of the host for a memory condition;
      
      identifying the memory condition; and
      
      scanning the memory for integrity based, at least in part, on identifying the memory condition.
  - 6. The method of claim 4, wherein monitoring for the memory condition comprises:
    - monitoring regions of the memory associated with buffers used to send data for the memory condition.
  - 7. The method of claim 4, wherein initiating the virtual environment for the application comprises:
    - assigning the application to the virtual machine randomly based, at least in part, on identifying the memory condition.
  - 8. The method of claim 4, wherein the checking the integrity of the traffic flow before the traffic flow is delivered to the tamper resistant environment comprises:
    - checking the integrity of the traffic flow randomly.

9. At least one non-transitory computer-readable medium that includes code for execution and when executed by a processor is operable to perform operations comprising:
- receiving, at a tamper resistant environment on a host from a virtualization environment on the host, information associated with an application executing on the host;
  
  receiving a traffic flow at the tamper resistant environment from the application, wherein the tamper resistant environment is separated from an operating system of the host;
  
  creating a modified traffic flow by applying a security token to the received traffic flow and by adding the information to the received traffic flow; and
  
  sending the modified traffic flow to a server.
- View Dependent Claims (10, 11, 12, 13, 14, 18, 19, 20)
- - 10. The computer-readable medium of claim 9, wherein the security token is derived from an enhanced privacy identification to attest that the tamper resistant environment is trusted.
  - 11. The computer-readable medium of claim 9, wherein the security token is derived by the tamper resistant environment, wherein the information added to the received traffic flow includes metadata and wherein the code applying the security token to the received traffic flow comprises code for:
    - digitally signing the metadata using public key cryptography.
  - 12. The computer-readable medium of claim 9, wherein the code, when executed by the processor, is operable to perform further operations comprising:
    - monitoring a memory of the host for a memory condition;
      
      identifying the memory condition;
      
      assigning the application to a virtual machine in the virtualization environment based, at least in part, on identifying the memory condition;
      
      trapping, in the virtualization environment, process events associated with the traffic flow; and
      
      checking the integrity of the traffic flow before the traffic flow is delivered to the tamper resistant environment.
  - 13. The computer-readable medium of claim 9, wherein the code, when executed by the processor, is operable to perform further operations comprising:
    - monitoring a memory of the host for a memory condition;
      
      identifying the memory condition; and
      
      scanning the memory for integrity based, at least in part, on identifying the memory condition.
  - 14. The computer-readable medium of claim 12, wherein the code for monitoring for the memory condition, when executed by the processor, is operable to perform further operations comprising:
    - monitoring regions of the memory associated with buffers used to send data for the memory condition.
  - 18. The computer-readable medium of claim 12, wherein the code, when executed by the processor, is operable to perform further operations comprising:
    - initiating the virtual environment for the application by assigning the application to the virtual machine randomly based, at least in part, on identifying the memory condition.
  - 19. The computer-readable medium of claim 12, wherein the code, when executed by the processor, is operable to perform further operations comprising:
    - firing a virtualization trap only when a condition is asserted based on a configured probabilistic configuration.
  - 20. The computer-readable medium of claim 12, wherein the checking the integrity of the traffic flow before the traffic flow is delivered to the tamper resistant environment comprises:
    - checking the integrity of the traffic flow randomly.

15. An apparatus, comprising:
- a memory element configured to store data;
  
  a processor operable to execute instructions associated with the data; and
  
  a security engine configured to interface with the memory element and the processor to;
  
  receive, from a virtualization environment of a host, information associated with an application executing on the host;
  
  receive a traffic flow at the tamper resistant environment from the application, wherein the tamper resistant environment is separated from an operating system of the host;
  
  create a modified traffic flow by applying a security token to the received traffic flow and by adding the information to the received traffic flow; and
  
  send the modified traffic flow to a server.
- View Dependent Claims (16, 17)
- - 16. The apparatus of claim 15, further comprising:
    - a trapping module configured to;
      
      monitor a memory of the host for a memory condition;
      
      identify the memory condition;
      
      assign the application to a virtual machine in the virtualization environment based, at least in part, on identifying the memory condition;
      
      trap, in the virtual environment, process events associated with the traffic flow; and
      
      check the integrity of the traffic flow before the traffic flow is delivered to the tamper resistant environment.
  - 17. The apparatus of claim 15, wherein the security engine is further configured to:
    - monitor a memory of the host for a memory condition;
      
      identify the memory condition; and
      
      scan the memory for integrity based, at least in part, on identifying the memory condition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Grobman, Steve, Samani, Raj, Arkin, Ofir, Schrecker, Sven
Primary Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US13/748,578
Publication Number

US 20140208413A1
Time in Patent Office

1,469 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/45558   Hypervisor-specific managem...

H04L 45/74   Address processing for routing

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

H04L 63/1483   service impersonation, e.g....

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3247   involving digital signatures

System and method for an endpoint hardware assisted network firewall in a security environment

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for an endpoint hardware assisted network firewall in a security environment

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links