Inter-module authentication for securing application execution integrity within a computing device

US 9,742,559 B2
Filed: 12/06/2013
Issued: 08/22/2017
Est. Priority Date: 01/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring and analyzing behaviors in a computing device having a high level operating system and a secure computing environment, comprising:

executing a first process via one or more hardware processors of the computing device in a privileged-normal portion of the secure computing environment of the computing device, the first process monitoring device behaviors over a period of time to collect behavior information and using the behavior information to generate a behavior vector;

executing a second process via the one or more hardware processors of the computing device in an unprivileged-normal portion of the secure computing environment of the computing device;

executing a secure authentication process via the one or more hardware processors in a privileged-secure portion of the secure computing environment of the computing device;

the first process providing a communication request message to the secure authentication process executing in the privileged-secure portion at the same or higher privilege level and at a higher security level than the first process;

the secure authentication process using the information included in the communication request message to authenticate the first process in the privileged-secure portion of the computing device;

the secure authentication process performing an integrity check of the first process in the privileged-secure portion of the computing device, the integrity check including the secure authentication process accessing a portion of a memory of the computing device allocated to the first process by the high level operating system to generate a cryptographic measurement in the privileged-secure portion;

the secure authentication process generating a key that includes the generated cryptographic measurement in response to the secure authentication process successfully authenticating the first process and the secure authentication process successfully performing the integrity check of the first process;

the secure authentication process in the privileged-secure portion providing the generated key to the first process in the privileged-normal portion;

the first process in the privileged-normal portion providing a second communication request message that includes the generated behavior vector and the generated key to the second process executing in the unprivileged-normal portion of the secure computing environment of the computing device;

the second process authenticating the first process based on the key and the cryptographic measurement included in the key to determine whether the first process can be trusted; and

the second process analyzing the behavior vector included in the second communication request message received from the first process to determine whether a behavior is benign in response to the second process determining, based on the key and the cryptographic measurement included in the key, that the first process can be trusted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for recognizing and reacting to malicious or performance-degrading behaviors in a mobile device include observing mobile device behaviors in an observer module within a privileged-normal portion of a secure operating environment to identify a suspicious mobile device behavior. The observer module may generate a concise behavior vector based on the observations, and provide the vector to an analyzer module in an unprivileged-secure portion of the secure operating environment. The vector may be analyzed in the unprivileged-secure portion to determine whether the mobile device behavior is benign, suspicious, malicious, or performance-degrading. If the behavior is found to be suspicious, operations of the observer module may be adjusted, such as to perform deeper observations. If the behavior is found to be malicious or performance-degrading behavior the user and/or a client module may be alerted in a secure, tamper-proof manner.

211 Citations

11 Claims

1. A method of monitoring and analyzing behaviors in a computing device having a high level operating system and a secure computing environment, comprising:
- executing a first process via one or more hardware processors of the computing device in a privileged-normal portion of the secure computing environment of the computing device, the first process monitoring device behaviors over a period of time to collect behavior information and using the behavior information to generate a behavior vector;
  
  executing a second process via the one or more hardware processors of the computing device in an unprivileged-normal portion of the secure computing environment of the computing device;
  
  executing a secure authentication process via the one or more hardware processors in a privileged-secure portion of the secure computing environment of the computing device;
  
  the first process providing a communication request message to the secure authentication process executing in the privileged-secure portion at the same or higher privilege level and at a higher security level than the first process;
  
  the secure authentication process using the information included in the communication request message to authenticate the first process in the privileged-secure portion of the computing device;
  
  the secure authentication process performing an integrity check of the first process in the privileged-secure portion of the computing device, the integrity check including the secure authentication process accessing a portion of a memory of the computing device allocated to the first process by the high level operating system to generate a cryptographic measurement in the privileged-secure portion;
  
  the secure authentication process generating a key that includes the generated cryptographic measurement in response to the secure authentication process successfully authenticating the first process and the secure authentication process successfully performing the integrity check of the first process;
  
  the secure authentication process in the privileged-secure portion providing the generated key to the first process in the privileged-normal portion;
  
  the first process in the privileged-normal portion providing a second communication request message that includes the generated behavior vector and the generated key to the second process executing in the unprivileged-normal portion of the secure computing environment of the computing device;
  
  the second process authenticating the first process based on the key and the cryptographic measurement included in the key to determine whether the first process can be trusted; and
  
  the second process analyzing the behavior vector included in the second communication request message received from the first process to determine whether a behavior is benign in response to the second process determining, based on the key and the cryptographic measurement included in the key, that the first process can be trusted.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the secure authentication process generating the key comprises the secure authentication process generating the key to include information about a communication channel allocated to the first process by the high level operating system.
  - 3. The method of claim 1, wherein the secure authentication process performing the integrity check of the first process comprises the secure authentication process generating a cryptographic hash of the first process'"'"'s code, data, or both.
  - 4. The method of claim 3, wherein the second process authenticating the first process based on the cryptographic measurement included in the key comprises:
    - the second process comparing the cryptographic hash of the first process to a hash obtained from a public repository or from a repository internal to the second process.

5. A computing device, comprising:
- a multi-core processor including two or more processor cores, one or more of which is configured with processor-executable instructions to perform operations comprising;
  
  executing a first process in a privileged-normal portion of a secure computing environment of the computing device, the first process monitoring device behaviors over a period of time to collect behavior information and using the behavior information to generate a behavior vector;
  
  executing a second process in an unprivileged-normal portion of the secure computing environment of the computing device;
  
  executing a secure authentication process in a privileged-secure portion of the secure computing environment of the computing device;
  
  the first process providing a communication request message to the secure authentication process executing in the privileged-secure portion of a secure computing environment of the computing device at the same or higher privilege level and at a higher security level than the first process;
  
  the secure authentication process using the information included in the communication request message to authenticate the first process in the privileged-secure portion of the computing device;
  
  the secure authentication process performing an integrity check of the first process in the privileged-secure portion of the computing device, the integrity check including the secure authentication process accessing a portion of a memory of the computing device allocated to the first process by a high level operating system of the computing device to generate a cryptographic measurement in the privileged-secure portion;
  
  the secure authentication process generating a key that includes the generated cryptographic measurement in response to the secure authentication process successfully authenticating the first process and the secure authentication process successfully performing the integrity check of the first process;
  
  the secure authentication process in the privileged-secure portion providing the generated key to the first process in the privileged-normal portion;
  
  the first process in the privileged-normal portion providing a second communication request message that includes the generated behavior vector and the generated key to the second process executing in the unprivileged-normal portion of the secure computing environment;
  
  the second process authenticating the first process based on the key and the cryptographic measurement included in the key to determine whether the first process can be trusted; and
  
  the second process analyzing the behavior vector included in the second communication request message received from the first process to determine whether a behavior is benign in response to the second process determining, based on the key and the cryptographic measurement included in the key, that the first process can be trusted.
- View Dependent Claims (6, 7, 8)
- - 6. The computing device of claim 5, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that the secure authentication process generating the key comprises the secure authentication process generating the key to include information about a communication channel allocated to the first process by the high level operating system.
  - 7. The computing device of claim 5, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that the secure authentication process performing the integrity check of the first process comprises the secure authentication process generating a cryptographic hash of the first process'"'"'s code, data, or both.
  - 8. The computing device of claim 7, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that the second process authenticating the first process based on the cryptographic measurement included in the key comprises:
    - the second process comparing the cryptographic hash of the first process to a hash obtained from a public repository or from a repository internal to the second process.

9. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor to perform operations for monitoring and analyzing behaviors in a computing device having a high level operating system that includes a secure computing environment, the operations comprising:
- executing a first process in a privileged-normal portion of the secure computing environment of the computing device, the first process monitoring device behaviors over a period of time to collect behavior information and using the behavior information to generate a behavior vector;
  
  executing a second process via the one or more hardware processors of the computing device in an unprivileged-normal portion of the secure computing environment of the computing device;
  
  executing a secure authentication process via the one or more hardware processors in a privileged-secure portion of the secure computing environment of the computing device;
  
  the first process providing a communication request message to the secure authentication process executing in the privileged-secure portion of the secure computing environment of the computing device at the same or higher privilege level and at a higher security level than the first process;
  
  the secure authentication process using the information included in the communication request message to authenticate the first process in the privileged-secure portion of the computing device;
  
  the secure authentication process performing an integrity check of the first process in the privileged-secure portion of the computing device, the integrity check including the secure authentication process accessing a portion of a memory of the computing device allocated to the first process by the high level operating system of the computing device to generate a cryptographic measurement in the privileged-secure portion;
  
  the secure authentication process generating a key that includes the generated cryptographic measurement in response to the secure authentication process successfully authenticating the first process and the secure authentication process successfully performing the integrity check of the first process;
  
  the secure authentication process in the privileged-secure portion providing the generated key to the first process in the privileged-normal portion;
  
  the first process in the privileged-normal portion providing a second communication request message that includes the generated behavior vector and the generated key to the second process executing in the unprivileged-normal portion of the secure computing environment of the computing device;
  
  the second process authenticating the first process based on the key and the cryptographic measurement included in the key to determine whether the first process can be trusted; and
  
  the second process analyzing the behavior vector included in the second communication request message received from the first process to determine whether a behavior is benign in response to the second process determining, based on the key and the cryptographic measurement included in the key, that the first process can be trusted.
- View Dependent Claims (10, 11)
- - 10. The non-transitory computer readable storage medium of claim 9, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that the secure authentication process generating the key comprises the secure authentication process generating the key to include information about a communication channel allocated to the first process by the high level operating system.
  - 11. The non-transitory computer readable storage medium of claim 9, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that:
    - the secure authentication process performing the integrity check of the first process comprises the secure authentication process generating a cryptographic hash of the first process'"'"'s code, data, or both; and
      
      the second process authenticating the first process based on the cryptographic measurement included in the key comprises the second process comparing the cryptographic hash of the first process to a hash obtained from a public repository or from a repository internal to the second process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Christodorescu, Mihai, Gupta, Rajarshi, Sridhara, Vinay
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Teng, Louis

Application Number

US14/099,108
Publication Number

US 20140205099A1
Time in Patent Office

1,355 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/57   Certifying or maintaining t...

G06F 21/606   by securing the transmissio...

G06F 2221/2149   Restricted operating enviro...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0819   Key transport or distributi...

H04L 9/083   involving central third par...

H04L 9/0861   Generation of secret inform...

H04L 9/321   involving a third party or ...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3297   involving time stamps, e.g....

H04W 12/03   Protecting confidentiality,...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/106   Packet or message integrity

H04W 12/128   Anti-malware arrangements, ...

Inter-module authentication for securing application execution integrity within a computing device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

211 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Inter-module authentication for securing application execution integrity within a computing device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

211 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links