Binary translation of a trusted binary with input tagging
First Claim
1. A computing apparatus comprising:
- a trusted execution environment (TEE);
one or more logic elements comprising an input verification engine (IVE) within the TEE, the IVE operable for;
receiving a trusted first binary object in a first format, the first binary object being a signed binary object;
analyzing the trusted first binary object to identify portions that perform input/output operations comprising signed and validated input from a peripheral;
tagging the portions to create a tagged trusted binary object with tagged portions; and
providing the portions to a binary translation engine (BTE);
one or more logic elements comprising the (BTE) within the TEE, the BTE operable for;
receiving the tagged trusted binary object in the first format, the first format not suitable for use on the computing apparatus;
translating the tagged trusted binary object into a second binary object in a second format suitable for use on the computing apparatus, wherein translating comprises reserving the tagged portions for execution within an enclave;
signing the second binary object in the second format; and
consulting a certificate expiration or revocation list before signing the second binary object.
13 Assignments
0 Petitions
Accused Products
Abstract
In an example, a computing device includes a trusted execution environment (TEE), including an enclave. The enclave may include both a binary translation engine (BTE) and an input verification engine (IVE). In one embodiment, the IVE receives a trusted binary as an input, and analyzes the trusted binary to identify functions, classes, and variables that perform input/output operations. To ensure the security of these interfaces, those operations may be performed within the enclave. The IVE tags the trusted binary and provides the binary to the BTE. The BTE then translates the trusted binary into a second format, including designating the tagged portion for execution within the enclave. The BTE may also sign the new binary in the second format and export it out of the enclave.
-
Citations
23 Claims
-
1. A computing apparatus comprising:
-
a trusted execution environment (TEE); one or more logic elements comprising an input verification engine (IVE) within the TEE, the IVE operable for; receiving a trusted first binary object in a first format, the first binary object being a signed binary object; analyzing the trusted first binary object to identify portions that perform input/output operations comprising signed and validated input from a peripheral; tagging the portions to create a tagged trusted binary object with tagged portions; and providing the portions to a binary translation engine (BTE); one or more logic elements comprising the (BTE) within the TEE, the BTE operable for; receiving the tagged trusted binary object in the first format, the first format not suitable for use on the computing apparatus; translating the tagged trusted binary object into a second binary object in a second format suitable for use on the computing apparatus, wherein translating comprises reserving the tagged portions for execution within an enclave; signing the second binary object in the second format; and consulting a certificate expiration or revocation list before signing the second binary object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. One or more non-transitory, computer-readable mediums having stored thereon instructions that, when executed, instruct a processor for:
-
providing an input verification engine (IVE) within a TEE, the IVE operable for; receiving a trusted first binary object in a first format, the first binary object being a signed binary object; analyzing the trusted first binary object to identify portions that perform input/output operations comprising signed and validated input from a peripheral; tagging the portions to create a tagged trusted binary object with tagged portions; and providing the portions to a binary translation engine (BTE); providing the (BTE) within the TEE, the BTE operable for; receiving the tagged trusted binary object in the first format, the first format not suitable for use on a target platform of the trusted binary; translating the tagged trusted binary object into a second binary object in a second format suitable for use on the target platform, wherein translating comprises reserving the tagged portions for execution within an enclave; signing the second binary object in the second format; and consulting a certificate expiration or revocation list before signing the second binary object. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer-implemented method for execution within a trusted execution environment (TEE), comprising:
-
receiving a trusted first binary object in a first format, the first binary object being a signed binary object; analyzing the trusted first binary object to identify portions that perform input/output operations comprising signed and validated input from a peripheral; tagging the portions to create a tagged trusted binary object with tagged portions; translating the tagged trusted binary object into a second binary object in a second format suitable for use on the target platform, wherein translating comprises reserving the tagged portions for execution within an enclave; signing the second binary object in the second format; and consulting a certificate expiration or revocation list before signing the second binary object.
-
Specification