System and method to provide added security to a platform using locality-based data

US 8,561,138 B2
Filed: 12/31/2008
Issued: 10/15/2013
Est. Priority Date: 12/31/2008
Status: Active Grant

First Claim

Patent Images

1. A system for protecting a computing platform from unauthorized access, comprising:

a host processor coupled to a first wireless communication device to receive location-based information from a positioning device;

an out-of-band processor different from and operating independently from the host processor, the out-of-band processor in communication with the host processor, coupled to the first wireless communication device to receive location-based information from the positioning device, and powered independently of the host processor to enable operation independent of the status of the host processor;

a firmware service configured to run during boot on the host processor to verify that the computing platform is authorized for operation, the authorization based at least on location-based information received from the positioning device and pre-defined platform policy; and

a runtime service configured to run after boot on the out-of-band processor independent of the status of the host processor, the runtime service configured to verify that the computing platform is authorized for operation, the authorization based at least on location-based information received from the positioning device and pre-defined platform policy;

wherein when the computing platform is out of range of a location defined in the pre-defined platform policy, the runtime service is configured to send a message to the host processor through a shared memory accessible to the host processor and the out-of-band processor, the message to cause the host processor to perform a security function to inhibit operation of the platform.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, the invention involves protecting a platform using locality-based data and, more specifically, to using the locality-based data to ensure that the platform has not been stolen or subject to unauthorized access. In some embodiments, a second level of security, such as a key fob, badge or other source device having an identifying RFID is used for added security. Other embodiments are described and claimed.

145 Citations

40 Claims

1. A system for protecting a computing platform from unauthorized access, comprising:
- a host processor coupled to a first wireless communication device to receive location-based information from a positioning device;
  
  an out-of-band processor different from and operating independently from the host processor, the out-of-band processor in communication with the host processor, coupled to the first wireless communication device to receive location-based information from the positioning device, and powered independently of the host processor to enable operation independent of the status of the host processor;
  
  a firmware service configured to run during boot on the host processor to verify that the computing platform is authorized for operation, the authorization based at least on location-based information received from the positioning device and pre-defined platform policy; and
  
  a runtime service configured to run after boot on the out-of-band processor independent of the status of the host processor, the runtime service configured to verify that the computing platform is authorized for operation, the authorization based at least on location-based information received from the positioning device and pre-defined platform policy;
  
  wherein when the computing platform is out of range of a location defined in the pre-defined platform policy, the runtime service is configured to send a message to the host processor through a shared memory accessible to the host processor and the out-of-band processor, the message to cause the host processor to perform a security function to inhibit operation of the platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 37, 38)
- - 2. The system as recited in claim 1, wherein the firmware service is configured to allow normal operation when the computing platform is within range of the location defined in the platform policy and an identifier associated with the computing platform is authenticated.
  - 3. The system as recited in claim 2, wherein the firmware service is configured to prohibit the computing platform from completing the boot when the computing platform is out of range of the location defined in the platform policy or if the identifier associated with the computing platform is not authenticated.
  - 4. The system as recited in claim 1, wherein the runtime service is configured to allow normal operation when the computing platform is within range of the location defined in the platform policy and an identifier associated with the computing platform is authenticated.
  - 5. The system as recited in claim 4, wherein when the computing platform is out of range of the location defined in the platform policy or if the identifier associated with the computing platform not authenticated, the firmware service is configured to perform at least one of lock-up the computing platform, force the computing platform to execute a screensaver, or shutdown the computing platform.
  - 6. The system as recited in claim 1, wherein the computing platform is configured to send an alert when the computing platform fails authorization for operation.
  - 7. The system as recited in claim 6, wherein the alert is to be sent by at least one of a network device coupled to the host processor or a network device coupled to the out-of-band processor.
  - 8. The system as recited in claim 1, wherein the authorization is also based on detection that the computing platform is within a predefined range of at least one security device.
  - 9. The system as recited in claim 8, wherein the security device comprises a physical device having either a passive or active radio frequency identifier known to the platform policy.
  - 10. The system as recited in claim 1, wherein the location-based information includes an indicator as to whether the computing platform is within range of an authorized network.
  - 11. The system as recited in claim 1, wherein the positioning device is a global positioning satellite system.
  - 12. The system as recited in claim 1, wherein the positioning device is a local positioning system within range of the computing platform.
  - 37. The system as recited in claim 8, wherein the security device comprises a biometric reader.
  - 38. The system as recited in claim 1, wherein:
    - the authorization is further based on detection that the computing platform is within a predefined range of at least one security device,the runtime service is configured to perform a first security operation in response to the computing platform being out of range of the location defined in the platform, andthe runtime service is configured to perform a second security operation in response to the computing platform being out of range of the at least one security device, the second security operation different from the first security operation.

13. A method for protecting a computing platform from unauthorized access, comprising:
- receiving location-based information from a positioning device during both boot and runtime;
  
  determining whether the computing platform is within range of a pre-defined location, based on the received location-based information and a platform policy;
  
  transmitting a platform identifier to an ID Authenticator on a network server;
  
  receiving one of an authentication confirmation or authentication failure from the ID Authenticator;
  
  determining whether the computing platform is authorized to operate at a current location determined by the received location-based information, authentication confirmation or authentication failure of the platform identifier, and platform policy;
  
  when the computing platform is authorized to operate, allowing normal boot and runtime operation; and
  
  when the computing platform is not authorized to operate, based on platform policy and whether the computing platform is in boot mode or runtime mode, performing a security function including at least one of;
  
  prohibiting the computing platform to boot,locking-up the computing platform when in runtime,shutting down the computing platform when in runtime, andsending an alert that identifies failure to authorize the computing platform to operate normally;
  
  wherein determining whether the computing platform is authorized to operate is (i) is performed by a firmware service executed on a host processor on the computing platform during boot, (ii) is performed by a system service executed on an out-of-band processor on the computing platform independent of the status of the host processor during runtime, the out-of-band processor powered independently of the host processor to enable operation independent of the status of the host processor, and (iii) includes sending a message by the system service to the host processor through a shared memory accessible to the host processor and the out-of-band processor when the computing platform is not authorized to operate, the message to cause the host processor to perform the security function.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 40)
- - 14. The method as recited in claim 13, wherein the host processor and out-of-band processor are coupled to separate network devices capable of independent communication to at least one network device.
  - 15. The method as recited in claim 13, further comprising allowing normal boot operation when the computing platform is within range of a location defined in the computing platform policy and the platform ID is confirmed.
  - 16. The method as recited in claim 15, further comprising prohibiting the computing platform from completing the boot when the computing platform is out of range of the location defined in the platform policy or if authentication failure from the ID Authenticator is received.
  - 17. The method as recited in claim 13, further comprising allowing normal runtime operation when the computing platform is within range of a location defined in the platform policy and the platform ID authentication is confirmed.
  - 18. The method recited in claim 17, further comprising performing at least one of locking-up the computing platform, forcing the computing platform to execute a screensaver, or shutting down the computing platform when the computing platform is out of range of the location defined in the platform policy or when an authentication failure is received from the ID Authenticator.
  - 19. The method as recited in claim 13, further comprising sending an alert to a network device when the computing platform fails authorization for operation.
  - 20. The method as recited in claim 13, wherein determining whether the computing platform is authorized to operate at a current location further comprises:
    - detecting proximity of at least one security device, wherein when the at least one security device fails to maintain proximity to the computing platform, then causing the authorization to be withdrawn or withheld, wherein the platform policy defines thresholds for proximity and authorized security devices.
  - 21. The method as recited in claim 20, wherein the security device comprises a physical device having either passive or active radio frequency identifier known to the platform policy.
  - 22. The method as recited in claim 13, wherein the location-based information includes an indicator as to whether the computing platform is within range of an authorized network.
  - 23. The method as recited in claim 13, wherein the positioning device is a global positioning satellite system.
  - 24. The method as recited in claim 13, wherein the positioning device is a local positioning system within range of the computing platform.
  - 40. The method as recited in claim 13, wherein determining whether the computing platform is within range of the pre-defined location comprises determining whether a signal power associated with the location-based information received from the positioning device is greater than a threshold power.

25. A non-transitory computer readable storage medium having instructions stored therein for protecting a computing platform from unauthorized access, the instructions when executed on at least one processor on the computing platform, cause the computing platform to:
- receive location-based information from a positioning device during both boot and runtime;
  
  determine whether the computing platform is within range of a pre-defined location, based on the received location-based information and a platform policy;
  
  transmit a platform identifier to an ID Authenticator on a network server;
  
  receive one of an authentication confirmation or authentication failure from the ID Authenticator;
  
  determine whether the computing platform is authorized to operate at a current location determined by the received location-based information, authentication confirmation or authentication failure of the platform identifier, and platform policy;
  
  when the computing platform is authorized to operate, allow normal boot and runtime operation; and
  
  when the computing platform is not authorized to operate, based on platform policy and whether the computing platform is in boot mode or runtime mode, perform a security function including at least one of;
  
  prohibit the computing platform to boot,lock-up the computing platform when in runtime,shut down the computing platform when in runtime, andsend an alert that identifies failure to authorize the computing platform to operate normally;
  
  wherein to determine whether the computing platform is authorized to operate (i) is performed by a firmware service executed on a host processor on the computing platform during boot, (ii) is performed by a system service executed on an out-of-band processor on the computing platform independent of the status of the host processor during runtime, the out-of-band processor powered independently of the host processor to enable operation independent of the status of the host processor, and (iii) includes to send a message by the system service to the host processor through a shared memory accessible to the host processor and the out-of-band processor when the computing platform is not authorized to operate, the message to cause the host processor to perform the security function.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 39)
- - 26. The medium as recited in claim 25, wherein the host processor and second processor are coupled to separate network devices capable of independent communication to at least one network device.
  - 27. The medium as recited in claim 25, further comprising instructions to allow normal boot operation when the computing platform is within range of a location defined in the platform policy and the platform ID is confirmed.
  - 28. The medium as recited in claim 27, further comprising instructions to prohibit the computing platform from completing the boot when the computing platform is out of range of the location defined in the platform policy or if authentication failure from the ID Authenticator is received.
  - 29. The medium as recited in claim 25, further comprising instructions to allow normal runtime operation when the computing platform is within range of a location defined in the platform policy and the platform ID authentication is confirmed.
  - 30. The medium recited in claim 29, further comprising instructions to perform at least one of locking-up the computing platform, forcing the computing platform to execute a screensaver, or shutting down the computing platform when the computing platform is out of range of the location defined in the platform policy or when an authentication failure is received from the ID Authenticator.
  - 31. The medium as recited in claim 25, further comprising instructions to sending an alert to a network device when the computing platform fails authorization for operation.
  - 32. The medium as recited in claim 25, wherein determining whether the computing platform is authorized to operate at a current location further comprises instructions to:
    - detect proximity of at least one security device, wherein when the at least one security device fails to maintain proximity to the computing platform, then cause the authorization to be withdrawn or withheld, wherein the platform policy defines thresholds for proximity and authorized security devices.
  - 33. The medium as recited in claim 32, wherein the security device comprises a physical device having either passive or active radio frequency identifier known to the platform policy.
  - 34. The medium as recited in claim 25, wherein the location-based information includes an indicator as to whether the computing platform is within range of an authorized network.
  - 35. The method as recited in claim 25, wherein the positioning device is a global positioning satellite system.
  - 36. The medium as recited in claim 25, wherein the positioning device is a local positioning system within range of the computing platform.
  - 39. The medium as recited in claim 25, wherein the instructions further cause the computing platform to:
    - perform a first security operation selected in response to the computing platform being out of range of the location defined in the platform policy,detect proximity of at least one security device, andperform a second security operation in response to the computing platform being out of range of the at least one security device, the second security operation being different from the first security operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Rothman, Michael M., Zimmer, Vincent
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US12/347,830
Publication Number

US 20100169949A1
Time in Patent Office

1,749 Days
Field of Search

726 1- 10, 726 16- 21, 726 34- 36, 726 26- 30, 4554561-4566
US Class Current

726/2
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/35   communicating wirelessly

G06F 21/52   during program execution, e...

G06F 21/575   Secure boot

G06F 21/88   Detecting or preventing the...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 9/4408   Boot device selection

G06F 9/441   Multiboot arrangements, i.e...

System and method to provide added security to a platform using locality-based data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

145 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to provide added security to a platform using locality-based data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links