SYSTEM AND METHOD FOR AN ENDPOINT HARDWARE ASSISTED NETWORK FIREWALL IN A SECURITY ENVIRONMENT

US 20170126413A1
Filed: 01/06/2017
Published: 05/04/2017
Est. Priority Date: 01/23/2013
Status: Active Grant

First Claim

Patent Images

1. At least one computer-readable medium that includes code for execution and when executed by at least one processor is operable to perform operations to:

receive a traffic flow at a tamper resistant environment on a host from an application executing on the host, wherein the tamper resistant environment is separated from an operating system of the host;

create a modified traffic flow by adding information associated with the application to the received traffic flow and by adding a device identifier of the host to the received traffic flow; and

send the modified traffic flow to a server.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment and includes receiving a traffic flow at a tamper resistant environment from an application, where the tamper resistant environment is separated from a host operating system. The method also includes applying a security token to the traffic flow and sending the traffic flow to a server. In specific embodiments, a security module may add information about the application to traffic flow. A trapping module may monitor for a memory condition and identify the memory condition. The trapping module may also, responsive to identifying the memory condition, initiate a virtual environment for the application, and check the integrity of the traffic flow.

10 Citations

View as Search Results

25 Claims

1. At least one computer-readable medium that includes code for execution and when executed by at least one processor is operable to perform operations to:
- receive a traffic flow at a tamper resistant environment on a host from an application executing on the host, wherein the tamper resistant environment is separated from an operating system of the host;
  
  create a modified traffic flow by adding information associated with the application to the received traffic flow and by adding a device identifier of the host to the received traffic flow; and
  
  send the modified traffic flow to a server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer-readable medium of claim 1, wherein the information associated with the application is obtained by the tamper resistant environment scanning the memory of the host.
  - 3. The computer-readable medium of claim 1, wherein the code, when executed by the at least one processor, is operable to perform further operations to:
    - receive the information at the tamper resistant environment from a virtualization environment on the host.
  - 4. The computer-readable medium of claim 3, wherein the code, when executed by the at least one processor, is operable to perform further operations to:
    - monitor, by the virtualization environment, a memory of the host;
      
      identify a memory condition;
      
      request control of the memory;
      
      obtain the information associated with the application by accessing the memory; and
      
      send the information from the virtualization environment to the tamper resistant environment.
  - 5. The computer-readable medium of claim 4, wherein the memory condition is identified based on a certain memory location in the memory of the host being accessed.
  - 6. The computer-readable medium of claim 4, wherein the virtualization environment includes a second tamper resistant environment separated from the other tamper resistant environment.
  - 7. The computer-readable medium of claim 1, wherein the code, when executed by the at least one processor, is operable to perform further operations to:
    - derive a security token by the tamper resistant environment; and
      
      apply the security token to the traffic flow.
  - 8. The computer-readable medium of claim 7, wherein the security token is derived from an enhanced privacy identification to attest that the tamper resistant environment is trusted.
  - 9. The computer-readable medium of claim 7, wherein the information added to the received traffic flow includes metadata, and wherein the code applying the security token to the received traffic flow comprises code to:
    - digitally sign the metadata using public key cryptography.
  - 10. The computer-readable medium of claim 1, wherein the tamper resistant environment is separated from the operating system of the host by isolated hardware or by a secure partition in hardware.
  - 11. The computer-readable medium of claim 1, wherein the code, when executed by the at least one processor, is operable to perform further operations to:
    - monitor a memory of the host for a memory condition;
      
      identify the memory condition;
      
      assign the application to a virtual machine in the virtualization environment based, at least in part, on identifying the memory condition;
      
      trap, in the virtualization environment, process events associated with the traffic flow; and
      
      check the integrity of the traffic flow before the traffic flow is delivered to the tamper resistant environment.
  - 12. The computer-readable medium of claim 11, wherein the code for monitoring for the memory condition, when executed by the at least one processor, is operable to perform further operations to:
    - monitor regions of the memory associated with buffers used to send data for the memory condition.
  - 13. The computer-readable medium of claim 11, wherein the code, when executed by the at least one processor, is operable to perform further operations to:
    - initiate the virtualization environment for the application by assigning the application to the virtual machine randomly based, at least in part, on identifying the memory condition.
  - 14. The computer-readable medium of claim 11, wherein the code, when executed by the processor, is operable to perform further operations to:
    - fire a virtualization trap based on a condition being asserted according to a configured probabilistic configuration.

15. An apparatus, comprising:
- at least one processor; and
  
  a security engine including a tamper resistant environment coupled to the at least one processor to;
  
  receive a traffic flow from an application executing on the apparatus, wherein the tamper resistant environment is separated from an operating system of the apparatus;
  
  create a modified traffic flow by adding information associated with the application to the received traffic flow and by adding a device identifier of the apparatus to the received traffic flow; and
  
  send the modified traffic flow to a server.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the information associated with the application is obtained by the tamper resistant environment scanning the memory of the host.
  - 17. The apparatus of claim 15, further comprising:
    - a virtualization environment coupled to the processor to;
      
      monitor a memory of the host;
      
      identify a memory condition;
      
      request control of the memory based on identifying the memory condition;
      
      obtain the information associated with the application by accessing the memory; and
      
      send the information to the tamper resistant environment.
  - 18. The apparatus of claim 15, wherein the tamper resistant environment is coupled to the processor to:
    - derive a security token; and
      
      apply the security token to the traffic flow.
  - 19. The apparatus of claim 18, wherein the information added to the received traffic flow includes metadata, and wherein the tamper resistant environment is coupled to the processor to:
    - digitally sign the metadata using public key cryptography.
  - 20. The apparatus of claim 15, further comprising:
    - a trapping module configured to;
      
      monitor a memory of the host for a memory condition;
      
      identify the memory condition;
      
      assign the application to a virtual machine in the virtualization environment based, at least in part, on identifying the memory condition;
      
      trap, in the virtual environment, process events associated with the traffic flow; and
      
      check the integrity of the traffic flow before the traffic flow is delivered to the tamper resistant environment.

21. A method comprising:
- receiving a traffic flow at a tamper resistant environment on a host from an application executing on the host, wherein the tamper resistant environment is separated from an operating system of the host;
  
  creating a modified traffic flow by adding information associated with the application to the received traffic flow and by adding a device identifier of the host to the received traffic flow; and
  
  sending the modified traffic flow to a server.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21, wherein the information associated with the application is obtained by the tamper resistant environment scanning the memory of the host.
  - 23. The method of claim 21, wherein the code, further comprising:
    - receiving the information at the tamper resistant environment from a virtualization environment on the host.
  - 24. The method of claim 23, further comprising:
    - monitoring, by the virtualization environment, a memory of the host;
      
      identifying a memory condition;
      
      requesting control of the memory;
      
      obtaining the information associated with the application by accessing the memory; and
      
      sending the information from the virtualization environment to the tamper resistant environment.
  - 25. The method of claim 21, further comprising:
    - deriving a security token; and
      
      applying the security token to the traffic flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Grobman, Steve, Samani, Raj, Arkin, Ofir, Schrecker, Sven

Granted Patent

US 10,103,892 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/45558   Hypervisor-specific managem...

H04L 45/74   Address processing for routing

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

H04L 63/1483   service impersonation, e.g....

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3247   involving digital signatures

SYSTEM AND METHOD FOR AN ENDPOINT HARDWARE ASSISTED NETWORK FIREWALL IN A SECURITY ENVIRONMENT

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR AN ENDPOINT HARDWARE ASSISTED NETWORK FIREWALL IN A SECURITY ENVIRONMENT

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links