Managing firmware update attempts

US 8,601,170 B1
Filed: 09/08/2009
Issued: 12/03/2013
Est. Priority Date: 09/08/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method for tracking attempted updates to firmware on a peripheral device of a host machine, comprising:

under control of one or more computer systems configured with executable instructions,provisioning a guest operating system (OS) with non-virtualized direct memory access to at least one device of a host machine, the guest OS provisioned for a remote user and being accessible by the remote user over a network connection;

configuring a secure counter to monotonically adjust a current value of the secure counter for each attempted update to firmware of the at least one device that is accessible via non-virtualized direct memory access to the guest OS;

verifying at least once that the firmware has been updated by an authorized source and storing the current value of the secure counter as an expected value in a secure location inaccessible to the guest OS provisioned on the host machine;

at one or more subsequent times, comparing the current value of the secure counter with the expected value; and

if it is determined, based on the comparing, that the current value of the secure counter has been modified but that the authorized source had not updated the firmware, performing at least one remedial action with respect to at least one of the remote user, the firmware, the device, or the host machine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Attempts to update confirmation information or firmware for a hardware device can be monitored using a secure counter that is configured to monotonically adjust a current value of the secure counter for each update or update attempt. The value of the counter can be determined every time the validity of the firmware is confirmed, and this value can be stored to a secure location. At subsequent times, such as during a boot process, the actual value of the counter can be determined and compared with the expected value. If the values do not match, such that the firmware may be in an unexpected state, an action can be taken, such as to prevent access to, or isolate, the hardware until such time as the firmware can be validated or updated to an expected state.

158 Citations

View as Search Results

28 Claims

1. A computer-implemented method for tracking attempted updates to firmware on a peripheral device of a host machine, comprising:
- under control of one or more computer systems configured with executable instructions,provisioning a guest operating system (OS) with non-virtualized direct memory access to at least one device of a host machine, the guest OS provisioned for a remote user and being accessible by the remote user over a network connection;
  
  configuring a secure counter to monotonically adjust a current value of the secure counter for each attempted update to firmware of the at least one device that is accessible via non-virtualized direct memory access to the guest OS;
  
  verifying at least once that the firmware has been updated by an authorized source and storing the current value of the secure counter as an expected value in a secure location inaccessible to the guest OS provisioned on the host machine;
  
  at one or more subsequent times, comparing the current value of the secure counter with the expected value; and
  
  if it is determined, based on the comparing, that the current value of the secure counter has been modified but that the authorized source had not updated the firmware, performing at least one remedial action with respect to at least one of the remote user, the firmware, the device, or the host machine.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the secure counter is implemented on one of the device, the host machine, an input/output (I/O) chipset, an element on a bus, or a data path routing component of the host machine.
  - 3. The computer-implemented method of claim 1, wherein the firmware for the host machine comprises firmware for a central processing unit, Basic Input/Output System (BIOS), or the device of the host machine.
  - 4. The computer-implemented method of claim 1, wherein the at least one remedial action includes at least one of limiting user access to at least a portion of components of the host machine, isolating the host machine, logging information, shutting down at least a portion of a user network, and shutting down the host machine.

5. A computer-implemented method for tracking attempted updates to configuration information on a hardware device, comprising:
- under control of one or more computer systems configured with executable instructions,provisioning a guest operating system (OS) with non-virtualized direct memory access to at least one device of a host machine, the guest OS provisioned for a remote user and being accessible by the remote user over a network connection;
  
  configuring a counter to monotonically adjust a current value of the counter for each attempted update to configuration information of the at least one device that is accessible via non-virtualized direct memory access to the guest OS;
  
  verifying at least once that the configuration information on the host machine has been updated by an authorized source and storing the current value of the counter as an expected value in a secure location;
  
  at one or more subsequent times, comparing an actual value of the counter with the expected value; and
  
  if it is determined, based on the comparing, that the current value of the counter has been modified but that the authorized source had not updated the configuration information, performing at least one action with respect to at least one of the remote user, the configuration information, or the host machine.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 6. The computer-implemented method of claim 5, wherein:
    - storing the current value in a secure location includes storing the current value in memory on the host machine or in a data store external to the host machine.
  - 7. The computer-implemented method of claim 5, further comprising:
    - configuring at least one additional counter to monotonically adjust the current value of an additional counter for each attempted update to configuration information for an additional hardware device, the additional hardware device being included on the host machine.
  - 8. The computer-implemented method of claim 7, wherein the configuration information for the hardware device comprises firmware for a peripheral device, central processing unit, or Basic Input/Output System (BIOS) of the host machine.
  - 9. The computer-implemented method of claim 8, wherein at least one counter is implemented on one of a peripheral device, the host machine, an input/output (I/O) chipset, an element on a bus, or a data path routing component of the host machine.
  - 10. The computer-implemented method of claim 8, wherein the host machine includes a plurality of counters and wherein a master counter aggregates the current value for each counter of the plurality of counters on the host machine.
  - 11. The computer-implemented method of claim 10, wherein the master counter includes a display visible from an exterior of the host machine.
  - 12. The computer-implemented method of claim 10, wherein the current value for each counter in the plurality of counters are aggregated using a secure channel inaccessible to the remote user.
  - 13. The computer-implemented method of claim 5, wherein the configuration information is unable to be updated without adjusting the current value of the counter.
  - 14. The computer-implemented method of claim 5, wherein the at least one action includes at least one of limiting user access to at least a portion of the host machine, isolating the host machine, logging information, shutting down at least a portion of a user network, and shutting down the host machine.
  - 15. The computer-implemented method of claim 5, wherein the at least one action includes verifying a state of the configuration information, and if the configuration information is in a valid state, storing the actual value of the counter as the expected value.
  - 16. The computer-implemented method of claim 5, further comprising:
    - enabling the configuration information to be updated using an external channel or port inaccessible to the remote user or a processing component of the host machine containing the at least one device,wherein update information received through the external channel or port does not adjust the current value of the counter.
  - 17. The computer-implemented method of claim 5, wherein the configuration information is unable to be updated by the remote user of the host machine, the counter configured to monotonically adjust the current value of the counter upon attempted updates to the configuration information by the remote user of the host machine.
  - 18. The computer-implemented method of claim 5, further comprising:
    - configuring a communication path for extracting the current value from the host machine, the communication path being inaccessible to a processing unit of the host machine containing the at least one device.

19. A system for tracking attempted updates to configuration information on a hardware device, comprising:
- a processor; and
  
  a memory device including instructions that, when executed by the processor, cause the processor to;
  
  provision a guest operating system (OS) with non-virtualized direct memory access to at least one device of a host machine, the guest OS provisioned for a remote user and being accessible by the remote user over a network connection;
  
  configure a counter to monotonically adjust a current value of the counter for each attempted update to configuration information of the at least one device that is accessible via non-virtualized direct memory access to the guest OS;
  
  verify at least once that the configuration information on the host machine has been updated by an authorized source and store the current value of the counter as an expected value in a secure location;
  
  at one or more subsequent times, compare an actual value of the counter with the expected value; and
  
  if it is determined, based on the comparing, that the current value of the counter has been modified but that the authorized source had not updated the configuration information, perform at least one action with respect to at least one of the remote user, the configuration information, or the host machine.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The system of claim 19, wherein storing the current value in a secure location includes storing the current value in memory on the host machine or in a data store external to the host machine.
  - 21. The system of claim 19, further comprising:
    - configuring at least one additional counter to monotonically adjust a current value of an additional counter for each attempted update to configuration information for an additional hardware device, the additional hardware device being included on the host machine.
  - 22. The system of claim 19, wherein the configuration information comprises firmware on the at least one device, central processing unit, or Basic Input/Output System (BIOS) of the host machine, and the counter is implemented on one of the at least one device, the host machine, an input/output (I/O) chipset, an element on a bus, or a data path routing component of the host machine.
  - 23. The system of claim 19, wherein the at least one action includes at least one of denying user access to the host machine, isolating the host machine, shutting down the host machine, logging information, shutting down at least a portion of a user network, and storing the current value of the counter as the expected value when the configuration information is verified to be in a valid state.

24. A non-transitory computer readable storage medium storing instructions for tracking attempted updates to configuration information on a hardware device, the instructions when executed by a processor causing the processor to:
- provision a guest operating system (OS) with non-virtualized direct memory access to at least one device of a host machine, the guest OS provisioned for a remote user and being accessible by the remote user over a network connection;
  
  configure a counter to monotonically adjust a current value of the counter for each attempted update to configuration information of the at least one device that is accessible via non-virtualized direct memory access to the guest OS;
  
  verify at least once that the configuration information on the host machine has been updated by an authorized source and store the current value of the counter as an expected value in a secure location;
  
  at one or more subsequent times, compare an actual value of the counter with the expected value; and
  
  if it is determined, based on the comparing, that the current value of the counter has been modified but that the authorized source had not updated the configuration information, perform at least one action with respect to at least one of the remote user, the configuration information, or the host machine.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The non-transitory computer readable storage medium of claim 24, wherein storing the current value in the secure location includes storing the current value in memory on the host machine or external to the host machine.
  - 26. The non-transitory computer readable storage medium of claim 24, wherein the configuration information comprises firmware on the at least one device, central processing unit, or Basic Input/Output System (BIOS) of the host machine, and the counter is implemented on one of the at least one device, the host machine, an input/output (I/O) chipset, an element on a bus, or a data path routing component of the host machine.
  - 27. The non-transitory computer readable storage medium of claim 24, wherein the at least one action includes at least one of denying user access to the host machine, isolating the host machine, shutting down the host machine, logging information, shutting down at least a portion of a user network, and storing the current value of the counter as the expected value when the configuration information is verified to be in a valid state.
  - 28. The non-transitory computer readable storage medium of claim 24, wherein the configuration information is unable to be updated by the remote user of the host machine, the counter configured to monotonically adjust the current value of the counter upon attempted updates to the configuration information by the remote user of the host machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Marr, Michael David, Vincent, Pradeep, Corddry, Matthew T., Hamilton, James R.
Primary Examiner(s)
Abad, Farley
Assistant Examiner(s)
YU, HENRY W

Application Number

US12/555,455
Time in Patent Office

1,547 Days
Field of Search

710/8, 710/15, 710/22, 713/2, 713/189, 713/193, 713/201, 717/168, 717/175, 717/8, 717/171, 707/205
US Class Current

710/8
CPC Class Codes

G06F 11/3003   Monitoring arrangements spe...

G06F 11/3051   Monitoring arrangements for...

G06F 21/57   Certifying or maintaining t...

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

G06F 21/577   Assessing vulnerabilities a...

G06F 2201/865   Monitoring of software

G06F 2201/88   Monitoring involving counting

G06F 2221/033   Test or assess software

G06F 8/65   Updates security arrangemen...

H04L 67/10   in which an application is ...

Managing firmware update attempts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

158 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Managing firmware update attempts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

158 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links