Trusted binary translation

US 9,798,559 B2
Filed: 12/27/2014
Issued: 10/24/2017
Est. Priority Date: 12/27/2014
Status: Active Grant

First Claim

Patent Images

1. A computing apparatus comprising:

a processor;

a memory; and

a trusted execution environment (TEE), comprising a memory enclave and processor instructions for accessing the memory enclave; and

one or more logic elements, including at least one hardware logic element, comprising a binary translation engine for operating within the TEE, and including a trusted compiler, runtime, or interpreter operable for;

receiving a trusted first signed object in a first format, the first signed object signed by a certificate;

translating the first signed object into a trusted second object in a second format;

consulting a certificate expiration or revocation list to determine that the certificate is not expired; and

after determining that the certificate is not expired, signing the second object.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a computing device may include a trusted execution environment (TEE) for executing signed and verified code. The device may receive a trusted binary object in a first form, but the object may need to be converted to a second format, either on-the-fly, or in advance. This may include, for example, a bytecode interpreter, script interpreter, runtime engine, compiler, just-in-time compiler, or other species of binary translator. The binary translator may be run from the TEE, and the output may then be signed by the TEE and treated as a new trusted binary.

Citations

20 Claims

1. A computing apparatus comprising:
- a processor;
  
  a memory; and
  
  a trusted execution environment (TEE), comprising a memory enclave and processor instructions for accessing the memory enclave; and
  
  one or more logic elements, including at least one hardware logic element, comprising a binary translation engine for operating within the TEE, and including a trusted compiler, runtime, or interpreter operable for;
  
  receiving a trusted first signed object in a first format, the first signed object signed by a certificate;
  
  translating the first signed object into a trusted second object in a second format;
  
  consulting a certificate expiration or revocation list to determine that the certificate is not expired; and
  
  after determining that the certificate is not expired, signing the second object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing apparatus of claim 1, wherein the first format is a non-native binary format.
  - 3. The computing apparatus of claim 1, wherein the second format is a native binary format.
  - 4. The computing apparatus of claim 1, wherein the TEE comprises a memory enclave.
  - 5. The computing apparatus of claim 1, wherein the TEE comprises a processor operable to provide special TEE instructions.
  - 6. The computing apparatus of claim 1, wherein the first signed object is to be signed by a key, and wherein signing the second object comprises signing the second object with the key.
  - 7. The computing apparatus of claim 1, wherein the first signed object is to be signed with a first key, and wherein signing the second object comprises signing the second object with a second key signed by a common issuer of the first key.
  - 8. The computing apparatus of claim 1, wherein the first signed object is to be signed with a first key, and wherein signing the second object comprises signing the second object with a second key provided by a vendor of the first signed object.
  - 9. The computing apparatus of claim 1, wherein the binary translation engine is further operable for receiving a code validation object signed by a code validation object key, and verifying the code validation object key.
  - 10. The computing apparatus of claim 9, wherein verifying the code validation object key comprises receiving a public verification key.

11. One or more tangible, non-transitory computer-readable mediums having stored thereon instructions that, when executed, are operable to provide a binary translation engine including a trusted compiler, runtime, or interpreter operable for:
- establishing a trusted execution environment (TEE) within a memory enclave;
  
  receiving into the enclave a first signed object in a first format, the first signed object signed by a certificate;
  
  translating the first signed object into a trusted second object in a second format within the enclave;
  
  consulting a certificate expiration or revocation list to determine that the certificate is not expired; and
  
  after determining that the certificate is not expired, signing the second object within the enclave.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the first format is a non-native binary format.
  - 13. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the second format is a native binary format.
  - 14. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the binary translation engine comprises a binary translator selected from a group consisting of a runtime engine, an interpreter, a just-in-time compiler, ahead-of-time compiler, a virtual machine, a compiler, a linker, and a toolchain utility.
  - 15. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the first signed object is to be signed by a key, and wherein signing the second object comprises signing the second object with the key.
  - 16. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the first signed object is to be signed with a first key, and wherein signing the second object comprises signing the second object with a second key signed by a common issuer of the first key.
  - 17. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein first signed object is to be signed with a first key, and wherein signing the second object comprises signing the second object with a second key provided by a vendor of the first object.
  - 18. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the binary translation engine is further operable for receiving a code validation object signed by a code validation object key, and verifying the code validation object key.

19. A method of providing a binary translation engine including a trusted compiler, runtime, or interpreter, comprising:
- establishing a memory enclave within a computer memory;
  
  receiving into the memory enclave a trusted first signed object in a first format, the first signed object signed by a certificate;
  
  translating, within the enclave, the first signed object into a trusted second object in a second format;
  
  consulting a certificate expiration or revocation list to determine that the certificate is not expired; and
  
  after determining that the certificate is not expired, signing, within the enclave, the second object.
- View Dependent Claims (20)
- - 20. The method of claim 19, wherein translating comprises:
    - performing runtime engine operations, interpreting, just-in-time compiling, ahead-of-time compiling, providing virtual machine services, compiling, linking, or providing toolchain utility services.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Shah, Samir, Smith, Ned M., Martin, Jason, Sheller, Micah J., Chakrabarti, Somnath, Xing, Bin
Primary Examiner(s)
Bodden, Evral E

Application Number

US14/583,616
Publication Number

US 20160188350A1
Time in Patent Office

1,032 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/74   operating in dual or compar...

G06F 9/4552   Involving translation to a ...

G09C 1/00   Apparatus or methods whereb...

H04L 2209/127   Trusted platform modules [TPM]

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

Trusted binary translation

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted binary translation

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links