Method and apparatus for securing computer interfaces

US 9,684,805 B2
Filed: 08/20/2013
Issued: 06/20/2017
Est. Priority Date: 08/20/2013
Status: Active Grant

First Claim

Patent Images

1. A computer system, comprising:

a host processor executing an operating system and applications for generating and using data;

an upstream port coupled to the host processor, wherein the upstream port receives the generated data from the host processor and sends the used data to the host processor;

a downstream port coupled to a device, wherein the downstream port receives the used data from the device and sends the generated data to the device; and

a secure subsystem interposed between the upstream port and downstream port that transparently performs security functions on the data, wherein the secure subsystem includes logic that detects when the device first connects to the downstream port and configures the security functions that are performed in response to the detection,wherein the security functions include a gatekeeping function in which the secure subsystem, upon determining that the device should be blocked, causes the host processor to consider that the device is not connected to the downstream port, thereby preventing any subsequent requests to access the device by the host processor,wherein the secure subsystem causes the host processor to consider that the device is not connected by communicating information with the host processor that causes the host processor to terminate an initialization sequence with the device and discard the device, andwherein communicating information includes sending packets from the secure subsystem to a device host in the operating system executed by the host processor which forces the device host to complete the initialization sequence but to keep the downstream port open so that another device can attach to the downstream port.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to methods and apparatuses for securing otherwise unsecured internal and external computer communications. According to one aspect, the invention relates to methods and apparatuses for implementing device gatekeeping. According to another aspect the invention relates to methods and apparatuses for encrypting and decrypting data sent over an external or internal interface. According to another aspect, the invention relates to methods and apparatuses for implementing device snooping, in which some or all traffic passing between a host and a connected device is captured into memory and analyzed in real time by system software. In embodiments, the software can also act upon analyzed information. According to certain additional aspects, the security functions performed by methods and apparatuses according to the invention can be logically transparent to the upstream host and/or to the downstream device.

86 Citations

View as Search Results

21 Claims

1. A computer system, comprising:
- a host processor executing an operating system and applications for generating and using data;
  
  an upstream port coupled to the host processor, wherein the upstream port receives the generated data from the host processor and sends the used data to the host processor;
  
  a downstream port coupled to a device, wherein the downstream port receives the used data from the device and sends the generated data to the device; and
  
  a secure subsystem interposed between the upstream port and downstream port that transparently performs security functions on the data, wherein the secure subsystem includes logic that detects when the device first connects to the downstream port and configures the security functions that are performed in response to the detection,wherein the security functions include a gatekeeping function in which the secure subsystem, upon determining that the device should be blocked, causes the host processor to consider that the device is not connected to the downstream port, thereby preventing any subsequent requests to access the device by the host processor,wherein the secure subsystem causes the host processor to consider that the device is not connected by communicating information with the host processor that causes the host processor to terminate an initialization sequence with the device and discard the device, andwherein communicating information includes sending packets from the secure subsystem to a device host in the operating system executed by the host processor which forces the device host to complete the initialization sequence but to keep the downstream port open so that another device can attach to the downstream port.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computer system of claim 1, wherein the host processor includes a Universal Serial Bus (USB) host and the device comprises one or more of a USB device and a USB hub.
  - 3. The computer system of claim 1, wherein the host processor includes one or more of a Serial Advanced Technology Attachment (SATA) host and a Serial Attached SCSI (SAS) host and the device comprises one or more of a SATA device and a SAS device.
  - 4. The computer system of claim 1, wherein the secure subsystem includes transceivers for parsing packets of the data received from the upstream and downstream ports and a link controller for examining the parsed packets.
  - 5. The computer system of claim 1, wherein the secure subsystem transparently encrypts the generated data before sending to the device.
  - 6. The computer system of claim 5, wherein the secure subsystem includes a Cyclic Redundancy Check (CRC) generator for generating a new CRC value for the encrypted generated data.
  - 7. The computer system of claim 1, wherein the secure subsystem transparently decrypts the used data before sending to the host.
  - 8. The computer system of claim 1, further comprising a policies table that defines a number and type of the security functions to perform for the device, wherein the logic configures the security functions by looking up the device in the policies table.
  - 9. The computer system of claim 8, wherein the policies include one or more of device class configuration policies, device vendor configuration policies, product ID configuration policies, and unique device serial number configuration policies.
  - 10. The computer system of claim 1, wherein the security functions capturing certain of the generated and used data, and wherein the secure subsystem includes snoop logic for capturing the certain data.
  - 11. The computer system of claim 10, wherein the snoop logic is configured to store the certain captured data in memory.
  - 12. The computer system of claim 10, wherein the secure subsystem is configured to forward the certain captured data to a system administrator.
  - 13. The computer system of claim 10, wherein the snoop logic is configured to capture the certain data in real time.
  - 14. The computer system of claim 10, wherein the secure subsystem is configured to monitor the certain captured data in real time.
  - 15. The computer system of claim 10, wherein the snoop logic includes a trigger engine that identifies the certain data based on a predefined event.
  - 16. The computer system of claim 10, wherein the snoop logic includes a filter engine that identifies the certain data by discarding unwanted data.

17. A method for securing a computer having an upstream port coupled to a host processor and a downstream port coupled to a device, comprising:
- interposing a secure subsystem between the upstream port and the downstream port;
  
  detecting when the device first attaches to the downstream port;
  
  determining at the secure subsystem that the device should be blocked in response to the detection; and
  
  if the device should be blocked, causing the host processor to consider that the device is not attached to the downstream port, thereby preventing any subsequent requests to access the device by the host processor,wherein causing the host processor to consider that the device is not attached is performed by communicating information with the host processor that causes the host processor to terminate an initialization sequence with the device and discard the device, andwherein communicating information includes sending packets from the secure subsystem to a device host in the operating system executed by the host processor which forces the device host to complete the initialization sequence but to keep the downstream port open so that another device can attach to the downstream port.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method according to claim 17, wherein the host processor includes a Universal Serial Bus (USB) host and the device comprises one or more of a USB device and a USB hub.
  - 19. The method of claim 17, wherein the host processor includes one or more of a Serial Advanced Technology Attachment (SATA) host and a Serial Attached SCSI (SAS) host and the device comprises one or more of a SATA device and a SAS device.
  - 20. The method according to claim 18, further comprising maintaining a table of policies that defines devices to be blocked, wherein determining includes looking up the device in the table.
  - 21. The method according to claim 20, wherein the policies include one or more of device class configuration policies, device vendor configuration policies, product ID configuration policies, and unique device serial number configuration policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Janus Technologies, Inc.
Original Assignee
Janus Technologies, Inc.
Inventors
Porten, Joshua, Indenbaum, Alexander, Chin, Shaoan, Raskin, Sofin, Wang, Michael
Primary Examiner(s)
DOAN, TRANG T

Application Number

US13/971,582
Publication Number

US 20150058912A1
Time in Patent Office

1,400 Days
Field of Search
US Class Current
CPC Class Codes

G06F 1/1698   the I/O peripheral being a ...

G06F 21/85   interconnection devices, e....

H04L 63/1433   Vulnerability analysis

Method and apparatus for securing computer interfaces

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

86 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securing computer interfaces

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links