公开(公告)号：US20120047580A1

公开(公告)日：2012-02-23

申请号：US12858882

申请日：2010-08-18

申请人： Ned M. Smith ,  Gunner D. Danneels ,  Vedvyas Shanbhogue ,  Suresh Sugumar

发明人： Ned M. Smith ,  Gunner D. Danneels ,  Vedvyas Shanbhogue ,  Suresh Sugumar

IPC分类号： G06F21/00

CPC分类号： G06F21/53 ,  G06F21/564 ,  G06F21/575

摘要： An antivirus (AV) application specifies a fault handler code image, a fault handler manifest, a memory location of the AV application, and an AV application manifest. A loader verifies the fault handler code image and the fault handler manifest, creates a first security domain having a first security level, copies the fault handler code image to memory associated with the first security domain, and initiates execution of the fault handler. The loader requests the locking of memory pages in the guest OS that are reserved for the AV application. The fault handler locks the executable code image of the AV application loaded into guest OS memory by setting traps on selected code segments in guest OS memory.

摘要翻译： 防病毒（AV）应用程序指定故障处理程序代码映像，故障处理程序清单，AV应用程序的存储位置和AV应用程序清单。 加载程序验证故障处理程序代码映像和故障处理程序清单，创建具有第一安全级别的第一安全域，将故障处理程序代码映像复制到与第一安全域相关联的存储器，并启动故障处理程序的执行。 加载程序请求锁定为AV应用程序保留的访客操作系统中的内存页面。 故障处理器通过在客户机操作系统内存中的选定代码段上设置陷阱来锁定加载到客户机操作系统内存中的AV应用程序的可执行代码映像。

公开(公告)号：US20110145558A1

公开(公告)日：2011-06-16

申请号：US12636884

申请日：2009-12-14

申请人： Hormuzd M. Khosravi ,  Ajith K. Illendula ,  Ned M. Smith ,  Yasser Rasheed ,  Tracie L. Zenti ,  Bryan K. Jorgensen

发明人： Hormuzd M. Khosravi ,  Ajith K. Illendula ,  Ned M. Smith ,  Yasser Rasheed ,  Tracie L. Zenti ,  Bryan K. Jorgensen

IPC分类号： G06F15/177 ,  G06F13/00

CPC分类号： G06F9/4416 ,  G06F13/105 ,  G06F13/4027

摘要： A management engine may be used to trap configuration cycles during the boot process and thereafter in response to operating system enumeration. As a result, a virtual bus device can be created. The bus device may be used to provision software to the platform even when the operating system is corrupted or non-functional.

摘要翻译： 管理引擎可用于在引导过程期间以及其后响应于操作系统枚举来捕获配置周期。 结果，可以创建虚拟总线设备。 总线设备可用于将软件提供给平台，即使操作系统损坏或不起作用。

公开(公告)号：US20110138166A1

公开(公告)日：2011-06-09

申请号：US12974244

申请日：2010-12-21

申请人： Jacek Peszek ,  Ned M. Smith ,  Vincent J. Zimmer ,  Victoria C. Moore ,  Alberto J. Martinez

发明人： Jacek Peszek ,  Ned M. Smith ,  Vincent J. Zimmer ,  Victoria C. Moore ,  Alberto J. Martinez

IPC分类号： G06F9/24

CPC分类号： G06F21/575

摘要： In one embodiment, the present invention includes a method for obtaining a pre-boot authentication (PBA) image from a non-volatile storage that is configured with full disk encryption (FDE), and storing the PBA image in a memory. Then a callback protocol can be performed between a loader executing on an engine of a chipset and an integrity checker of a third party that provided the PBA image to confirm integrity of the PBA image, the PBA image is executed if the integrity is confirmed, and otherwise it is deleted. Other embodiments are described and claimed.

摘要翻译： 在一个实施例中，本发明包括一种从配置有全盘加密（FDE）的非易失性存储器获得预引导认证（PBA）图像并将PBA图像存储在存储器中的方法。 然后，可以在执行在芯片组的引擎上的加载器和提供PBA图像以确认PBA图像的完整性的第三方的完整性检查器之间执行回调协议，如果确认完整性则执行PBA图像;以及 否则删除。 描述和要求保护其他实施例。

公开(公告)号：US20230119552A1

公开(公告)日：2023-04-20

申请号：US18084746

申请日：2022-12-20

申请人： Kshitij Arun Doshi ,  Hassnaa Moustafa ,  Francesc Guim Bernat ,  Christian Maciocco ,  Srikathyayani Srikanteswara ,  Vesh Raj Sharma Banjade ,  S M Iftekharul Alam ,  Satish Chandra Jha ,  Ned M. Smith

发明人： Kshitij Arun Doshi ,  Hassnaa Moustafa ,  Francesc Guim Bernat ,  Christian Maciocco ,  Srikathyayani Srikanteswara ,  Vesh Raj Sharma Banjade ,  S M Iftekharul Alam ,  Satish Chandra Jha ,  Ned M. Smith

IPC分类号： H04L47/783

摘要： Systems and methods for managing distributed compute resources are described herein. A system is configured to receive, from an agent operating at a first compute domain of a plurality of compute domains, a request for compute resources; broadcast the request for compute resources to respective agents at the plurality of compute domains; receive a plurality of offers for available compute resources from at least a portion of the plurality of compute domains; transmit, to a selected agent at a selected compute domain of the plurality of compute domains, a commit message to reserve compute resources of the selected compute domain associated with a selected offer of the plurality of offers; and transmit an indication of the commit message to the agent at the first compute domain, wherein the first compute domain is to use the compute resources reserved at the selected compute domain for workloads of the first compute domain.

公开(公告)号：US20230010406A1

公开(公告)日：2023-01-12

申请号：US17711933

申请日：2022-04-01

申请人： Kshitij Arun Doshi ,  Francesc Guim Bernat ,  Ned M. Smith

发明人： Kshitij Arun Doshi ,  Francesc Guim Bernat ,  Ned M. Smith

IPC分类号： H04L9/40

摘要： The subject matter described herein provides technical solutions for technical problems facing computing network security. Technical solutions described herein include adaptive sniffing of networking traffic, such as using a brokered network traffic sniffing framework. A brokered sniffing framework may be used to provide dynamic adjustment of network access points and network traffic sampling queries, such as by providing dynamic adjustment in response to changes to the network topology or network traffic. The brokered sniffing framework may provide improved statistical sampling of network traffic using improved network traffic telemetry, such as by modifying a statistical profile of network traffic contents that are collected. The network traffic telemetry may be used to identify various changes in network traffic, such as by identifying statistically significant changes in latencies, bandwidths, or other data center performance metrics.

公开(公告)号：US20220225227A1

公开(公告)日：2022-07-14

申请号：US17711579

申请日：2022-04-01

申请人： Satish Chandra Jha ,  S M Iftekharul Alam ,  Vesh Raj Sharma Banjade ,  Ned M. Smith ,  Arvind Merwaday ,  Kshitij Arun Doshi ,  Francesc Guim Bernat ,  Liuyang Lily Yang ,  Kuilin Clark Chen ,  Christian Maciocco ,  Marcio Rogerio Juliato ,  Maruti Gupta Hyde ,  Manoj R. Sastry

发明人： Satish Chandra Jha ,  S M Iftekharul Alam ,  Vesh Raj Sharma Banjade ,  Ned M. Smith ,  Arvind Merwaday ,  Kshitij Arun Doshi ,  Francesc Guim Bernat ,  Liuyang Lily Yang ,  Kuilin Clark Chen ,  Christian Maciocco ,  Marcio Rogerio Juliato ,  Maruti Gupta Hyde ,  Manoj R. Sastry

IPC分类号： H04W48/18 ,  H04W28/24 ,  H04W24/02 ,  H04W72/08

摘要： System and techniques for network slice resiliency are described herein. An indication of a fault-attack-failure-outage (FAFO) event for a network slice may be received. Here, the network slice is one of multiple network slices. A capacity in a slice segment may be estimated to determine whether there is enough capacity to meet a service level agreement (SLA) of the multiple network slices based on the FAFO event. In this case, the slice segment is a set of physical resources shared by the multiple network slices. Operation of the slice segment may then be modified based on results from estimating the capacity in the slice segment to address impacts from the FAFO event.

公开(公告)号：US20220116445A1

公开(公告)日：2022-04-14

申请号：US17559968

申请日：2021-12-22

申请人： Miltiadis Filippou ,  Dario Sabella ,  Kishen Maloor ,  Ned M. Smith

发明人： Miltiadis Filippou ,  Dario Sabella ,  Kishen Maloor ,  Ned M. Smith

IPC分类号： H04L67/10 ,  H04L67/12 ,  H04L67/568 ,  H04L41/0803

摘要： A machine-readable storage medium includes instructions stored thereupon, which when executed by processing circuitry of a computing node operable to implement a service mesh control plane (SMCP) in a MEC network, cause the processing circuitry to decode an attestation request received from a sidecar proxy of a deployable instance. The sidecar proxy is instantiated on a MEC host. Evidence information is collected from the deployable instance responsive to the attestation request, the evidence information comprising at least one security configuration of the deployable instance. An attestation of the evidence information is performed using a verified configuration of the deployable instance to generate an integrity report. An attestation token is generated based on the integrity report and is encoded for transmission to the MEC host. The attestation token authorizes the sidecar proxy to obtain configuration to facilitate a data exchange between the deployable instance and at least another deployable instance.

公开(公告)号：US20220114251A1

公开(公告)日：2022-04-14

申请号：US17561134

申请日：2021-12-23

申请人： Francesc Guim Bernat ,  Kshitij Arun Doshi ,  Adrian Hoban ,  Thijs Metsch ,  Dario Nicolas Oliver ,  Marcos E. Carranza ,  Mats Gustav Agerstam ,  Bin Li ,  Patrick Koeberl ,  Susanne M. Balle ,  John J. Browne ,  Cesar Martinez-Spessot ,  Ned M. Smith

发明人： Francesc Guim Bernat ,  Kshitij Arun Doshi ,  Adrian Hoban ,  Thijs Metsch ,  Dario Nicolas Oliver ,  Marcos E. Carranza ,  Mats Gustav Agerstam ,  Bin Li ,  Patrick Koeberl ,  Susanne M. Balle ,  John J. Browne ,  Cesar Martinez-Spessot ,  Ned M. Smith

IPC分类号： G06F21/51 ,  G06F21/57 ,  H04L43/0823 ,  H04L41/5009

摘要： Various systems and methods for implementing reputation management and intent-based security mechanisms are described herein. A system for implementing intent-driven security mechanisms, configured to: determine, based on a risk tolerance intent related to execution of an application on a compute node, whether execution of a software-implemented operator requires a trust evaluation; and in response to determining that the software-implemented operator requires the trust evaluation: obtain a reputation score of the software-implemented operator; determine a minimum reputation score from the risk tolerance intent; compare the reputation score of the software-implemented operator to the minimum reputation score; and reject or permit execution of the software-implemented operator based on the comparison

公开(公告)号：US20220113914A1

公开(公告)日：2022-04-14

申请号：US17560945

申请日：2021-12-23

申请人： Kshitij Arun Doshi ,  Francesc Guim Bernat ,  Ned M. Smith

发明人： Kshitij Arun Doshi ,  Francesc Guim Bernat ,  Ned M. Smith

IPC分类号： G06F3/06 ,  G06F12/02 ,  G06F12/0888

摘要： Systems and techniques for storage-class memory device including a network interface are described herein. A write for a network communication is received by the host interface of the memory device. Here, the network communication includes a header. The header is written to a non-volatile storage array managed by a memory controller. A network command is detected by the memory device. Here, the network command includes a pointer to the header in the non-volatile storage array. The header is retrieved from the non-volatile storage array and a packet based on the header is transmitted via a network interface of the memory controller.

公开(公告)号：US20210314365A1

公开(公告)日：2021-10-07

申请号：US17351004

申请日：2021-06-17

申请人： Ned M. Smith ,  Jose Benchimol ,  Andrew Draper

发明人： Ned M. Smith ,  Jose Benchimol ,  Andrew Draper

IPC分类号： H04L29/06 ,  G06F11/34

摘要： Various examples of device and system implementations and methods for performing end-to-end attestation operations for multi-layer hardware devices are disclosed. In an example, attestation operations are performed by a verifier, including: obtaining layered attestation evidence regarding a state of a compute device, with the layered attestation evidence including attesting evidence provided from a second hardware layer of the compute device, such that the attesting evidence provided from the second hardware layer is generated from attesting evidence provided from a first hardware layer of the compute device to the second hardware layer of the compute device; obtaining endorsement information relating to the layered attestation evidence for the state of the compute device; determining an appraisal policy for performing attestation of the compute device from the layered attestation evidence; and applying the appraisal policy and the endorsement information to the layered attestation evidence, to perform attestation of the compute device.