Method and apparatus for securing computer interfaces
First Claim
1. A computer system, comprising:
- a host processor executing an operating system and applications for generating and using data;
an upstream port coupled to the host processor, wherein the upstream port receives the generated data from the host processor and sends the used data to the host processor;
a downstream port coupled to a device, wherein the downstream port receives the used data from the device and sends the generated data to the device; and
a secure subsystem interposed between the upstream port and downstream port that transparently performs security functions on the data, wherein the secure subsystem includes logic that detects when the device first connects to the downstream port and configures the security functions that are performed in response to the detection,wherein the security functions include a gatekeeping function in which the secure subsystem, upon determining that the device should be blocked, causes the host processor to consider that the device is not connected to the downstream port, thereby preventing any subsequent requests to access the device by the host processor,wherein the secure subsystem causes the host processor to consider that the device is not connected by communicating information with the host processor that causes the host processor to terminate an initialization sequence with the device and discard the device, andwherein communicating information includes sending packets from the secure subsystem to a device host in the operating system executed by the host processor which forces the device host to complete the initialization sequence but to keep the downstream port open so that another device can attach to the downstream port.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to methods and apparatuses for securing otherwise unsecured internal and external computer communications. According to one aspect, the invention relates to methods and apparatuses for implementing device gatekeeping. According to another aspect the invention relates to methods and apparatuses for encrypting and decrypting data sent over an external or internal interface. According to another aspect, the invention relates to methods and apparatuses for implementing device snooping, in which some or all traffic passing between a host and a connected device is captured into memory and analyzed in real time by system software. In embodiments, the software can also act upon analyzed information. According to certain additional aspects, the security functions performed by methods and apparatuses according to the invention can be logically transparent to the upstream host and/or to the downstream device.
86 Citations
21 Claims
-
1. A computer system, comprising:
-
a host processor executing an operating system and applications for generating and using data; an upstream port coupled to the host processor, wherein the upstream port receives the generated data from the host processor and sends the used data to the host processor; a downstream port coupled to a device, wherein the downstream port receives the used data from the device and sends the generated data to the device; and a secure subsystem interposed between the upstream port and downstream port that transparently performs security functions on the data, wherein the secure subsystem includes logic that detects when the device first connects to the downstream port and configures the security functions that are performed in response to the detection, wherein the security functions include a gatekeeping function in which the secure subsystem, upon determining that the device should be blocked, causes the host processor to consider that the device is not connected to the downstream port, thereby preventing any subsequent requests to access the device by the host processor, wherein the secure subsystem causes the host processor to consider that the device is not connected by communicating information with the host processor that causes the host processor to terminate an initialization sequence with the device and discard the device, and wherein communicating information includes sending packets from the secure subsystem to a device host in the operating system executed by the host processor which forces the device host to complete the initialization sequence but to keep the downstream port open so that another device can attach to the downstream port. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for securing a computer having an upstream port coupled to a host processor and a downstream port coupled to a device, comprising:
-
interposing a secure subsystem between the upstream port and the downstream port; detecting when the device first attaches to the downstream port; determining at the secure subsystem that the device should be blocked in response to the detection; and if the device should be blocked, causing the host processor to consider that the device is not attached to the downstream port, thereby preventing any subsequent requests to access the device by the host processor, wherein causing the host processor to consider that the device is not attached is performed by communicating information with the host processor that causes the host processor to terminate an initialization sequence with the device and discard the device, and wherein communicating information includes sending packets from the secure subsystem to a device host in the operating system executed by the host processor which forces the device host to complete the initialization sequence but to keep the downstream port open so that another device can attach to the downstream port. - View Dependent Claims (18, 19, 20, 21)
-
Specification