公开(公告)号：US20170227995A1

公开(公告)日：2017-08-10

申请号：US15428306

申请日：2017-02-09

申请人： Ruby B. Lee ,  Wei-Han Lee

发明人： Ruby B. Lee ,  Wei-Han Lee

IPC分类号： G06F1/16 ,  G06F3/0488 ,  H04L29/06 ,  G06F21/32 ,  H04W12/12 ,  H04W12/06 ,  G06F3/01 ,  G06F21/31

CPC分类号： G06F1/1694 ,  G06F1/163 ,  G06F1/1684 ,  G06F3/017 ,  G06F21/316 ,  G06F21/32 ,  G06F2200/1637 ,  G06F2221/2139 ,  G06N20/10 ,  H04L63/0861 ,  H04L63/0892 ,  H04W12/00504 ,  H04W12/00508 ,  H04W12/06 ,  H04W12/12

摘要： A method and system capable of implicitly authenticating users based on information gathered from one or more sensors, which may be located in one or more devices, and an authentication model trained via a machine learning technique. Data is collected, manipulated, and assessed with the authentication model in order to determine if the user is authentic. A wide variety of sensors may be utilized, including sensors in smartphones, smartwatches, other wearable devices, and other sensors accessible via an internet of things (IoT) system. The method and system can include continuously testing the user's behavior patterns and environment characteristics, and allowing authentication without interrupting the user's other interactions with a given device or requiring explicit user input. The method and system may also involve the authentication model being retrained, or adaptively updated to include temporal changes in the user's patterns.

公开(公告)号：US20100281273A1

公开(公告)日：2010-11-04

申请号：US12689674

申请日：2010-01-19

申请人： Ruby B. Lee ,  David Champagne

发明人： Ruby B. Lee ,  David Champagne

IPC分类号： G06F12/14 ,  G06F21/22

CPC分类号： F04B33/00 ,  G06F21/57 ,  G06F21/575 ,  G06F21/72

摘要： A system and method for processor-based security is provided, for on-chip security and trusted computing services for software applications. A processor is provided having a processor core, a cache memory, a plurality of registers for storing at least one hash value and at least one encryption key, a memory interface, and at least one on-chip instruction for creating a secure memory area in a memory external to the processor, and a hypervisor program executed by the processor. The hypervisor program instructs the processor to execute the at least one on-chip instruction to create a secure memory area for a software area for a software module, and the processor encrypts data written to, and decrypts data read from, the external memory using the at least one encryption key and the verifying data read from the external memory using the at least one hash value. Secure module interactions are provided, as well as the generation of a power-on key which can be used to protect memory in the event of a re-boot event. Lightweight, run-time attestation reports are generated which include selected information about software modules executed by the processors, for use in determining whether the processor is trusted to provide secure services.

摘要翻译： 提供了一种用于基于处理器的安全性的系统和方法，用于软件应用的片上安全和可信计算服务。 提供一种处理器，其具有处理器核心，高速缓存存储器，用于存储至少一个散列值的多个寄存器和至少一个加密密钥，存储器接口以及用于创建安全存储器区域的至少一个片上指令 处理器外部的存储器和由处理器执行的管理程序程序。 管理程序指令处理器执行至少一个片上指令以为软件模块的软件区域创建安全存储区域，并且处理器使用以下方式对写入的数据和从外部存储器读取的数据进行加密 至少一个加密密钥和使用所述至少一个哈希值从外部存储器读取的验证数据。 提供安全模块交互，以及生成可以在重新启动事件的情况下保护内存的开机密钥。 生成轻量级的运行时证明报告，其中包括有关由处理器执行的软件模块的选定信息，用于确定处理器是否被信任以提供安全服务。

公开(公告)号：US20100228939A1

公开(公告)日：2010-09-09

申请号：US12690040

申请日：2010-01-19

申请人： Ruby B. Lee ,  Yu-Yuan Chen

发明人： Ruby B. Lee ,  Yu-Yuan Chen

IPC分类号： G06F12/00

CPC分类号： G06F12/00 ,  G06F9/30032 ,  G06F9/30036 ,  G06F9/3004 ,  G06F21/72 ,  H04L9/0631 ,  H04L2209/04 ,  H04L2209/12

摘要： A functional unit for a microprocessor is provided, which allows for fast, parallel data read, write, and manipulation operations in the microprocessor that are useful for a number of software applications, such as cryptography. The functional unit includes first and second source registers for receiving first and second data items to be processed by the functional unit, first and second banks of memory tables, a combinational logic circuit, and a decoder. The first and second banks of memory tables are in communication with the first source register, and each of the tables is indexed by an index comprising a portion of the first data item received by the first source register. Each index points to a lookup result in a respective one of the memory tables. The combinational logic circuit is in communication with the first and second banks of memory tables and the second source register, receives the lookup results, and processes the lookup results and the second data item in the second source register to produce a result data item. The decoder circuit is in communication with the combinational logic circuit, and extracts an operational code from an instruction supplied to the functional unit, decodes the operational code, and controls the combinational logic circuit in accordance with the operational code.

摘要翻译： 提供了一种用于微处理器的功能单元，其允许在微处理器中的快速，并行数据读取，写入和操作操作，其对于诸如密码学的许多软件应用是有用的。 功能单元包括用于接收要由功能单元处理的第一和第二数据项的第一和第二源寄存器，存储器表的第一和第二组，组合逻辑电路和解码器。 第一和第二存储表组与第一源寄存器通信，并且每个表由包括由第一源寄存器接收的第一数据项的一部分的索引索引。 每个索引指向相应的一个存储器表中的查找结果。 组合逻辑电路与第一和第二组存储器表和第二源寄存器通信，接收查找结果，并处理第二源寄存器中的查找结果和第二数据项以产生结果数据项。 解码器电路与组合逻辑电路通信，并从提供给功能单元的指令中提取操作码，解码操作码，并根据操作码控制组合逻辑电路。

公开(公告)号：US07424597B2

公开(公告)日：2008-09-09

申请号：US10403785

申请日：2003-03-31

申请人： Ruby B. Lee ,  Dale Morris

发明人： Ruby B. Lee ,  Dale Morris

IPC分类号： G06F9/312 ,  G06F9/315

CPC分类号： G06F9/30032 ,  G06F9/3004

摘要： Parallel table lookups are implemented using variable Mux instructions to reorder data. Table data can be represented in a “table” register, while the desired ordering can be represented in an “Index” register. A direct variable Mux instruction can specify the table register and the index register as arguments, along with a result register. The instruction writes at least some of the data from the table register into the result register as specified in the index register. If the entire table cannot fit within a single register, entries can be divided between two or more table registers. An indirect variable Mux instruction can specify both a table-register-select register and a subword-location-select register. Both the direct and indirect Mux instructions can be used with entry data that is divided in accordance with significance between registers. In that case, plural Mux instructions are used with UnPack instructions that concatenate portions of the table entries.

摘要翻译： 使用变量Mux指令实现并行表查找，以重新排序数据。 表数据可以在“表”寄存器中表示，而所需的顺序可以在“索引”寄存器中表示。 直接变量Mux指令可以指定表寄存器和索引寄存器作为参数，以及结果寄存器。 该指令将表寄存器中的至少一些数据写入索引寄存器中指定的结果寄存器。 如果整个表不能放在单个寄存器中，则可以在两个或多个表寄存器之间划分条目。 间接变量Mux指令可以指定表寄存器选择寄存器和子字选择寄存器。 直接和间接MUX指令都可以与根据寄存器之间的重要性划分的条目数据一起使用。 在这种情况下，多个Mux指令用于连接表项部分的UnPack指令。

公开(公告)号：US06922472B2

公开(公告)日：2005-07-26

申请号：US09850237

申请日：2001-05-07

申请人： Ruby B. Lee ,  Xiao Yang ,  Manish Vachharajani

发明人： Ruby B. Lee ,  Xiao Yang ,  Manish Vachharajani

IPC分类号： H04L9/34 ,  H04K1/04 ,  H04K1/00 ,  H04K1/06 ,  H04K3/00

CPC分类号： G06F9/30032 ,  G06F9/30018 ,  G06F9/30036 ,  H04L9/34

摘要： The present invention provides permutation instructions which can be used in software executed in a programmable processor for solving permutation problems in cryptography, multimedia and other applications. The permute instructions are based on a Benes network comprising two butterfly networks of the same size connected back-to-back. Intermediate sequences of bits are defined that an initial sequence of bits from a source register are transformed into. Each intermediate sequence of bits is used as input to a subsequent permutation instruction. Permutation instructions are determined for permitting the initial source sequence of bits into one or more intermediate sequence of bits until a desired sequence is obtained. The intermediate sequences of bits are determined by configuration bits. The permutation instructions form a permutation instruction sequence of at least one instruction. At most 21 gr/m permutation instructions are used in the permutation instruction sequence, where r is the number of k-bit subwords to be permuted, and m is the number of network stages executed in one instruction. The permutation instructions can be used to permute k-bit subwords packed into an n-bit word, where k can be 1, 2, . . . , or n bits, and k*r=n.

摘要翻译： 本发明提供了可用于在可编程处理器中执行的用于解密密码学，多媒体和其他应用中的置换问题的软件中的置换指令。 该置换指令是基于一个Benes网络，它包括两个背对背连接的相同尺寸的蝴蝶网络。 定义位的中间序列，来自源寄存器的初始位序列被转换成。 每个中间位数序列用作后续排列指令的输入。 确定置换指令，以允许位的初始源序列到一个或多个中间比特序列，直到获得所需的序列。 位的中间序列由配置位确定。 置换指令形成至少一个指令的置换指令序列。 在排列指令序列中使用最多21个字节/ m的置换指令，其中r是要置换的k位子字的数量，m是在一个指令中执行的网络级数。 置换指令可用于置换打包成n位字的k位子词，其中k可以是1,2。 。 。 ，或n位，并且k * r = n。

公开(公告)号：US06381690B1

公开(公告)日：2002-04-30

申请号：US08509867

申请日：1995-08-01

申请人： Ruby B. Lee

发明人： Ruby B. Lee

IPC分类号： G06F9315

CPC分类号： G06F7/762 ,  G06F7/76 ,  G06F9/30032 ,  G06F9/30036

摘要： An apparatus for operating on the contents of an input register to generate the contents of an output register which contains a permutation, with or without repetitions, or a combination of the contents of the input register. The apparatus partitions the input register into a plurality of sub-words, each sub-word being characterized by a location in the input register and a length greater than one bit. In response to an instruction specifying a rearrangement of the input register, the present invention directs at least one of the sub-words in the input register to a location in the output register that differs from the location occupied by the sub-word in the input register. The ordering of the sub-words in the output register differ from the order obtainable by a single shift instruction. In the preferred embodiment of the present invention, the invention is implemented by modifying a conventional shifter comprising a plurality of layers of multiplexers. The modification comprises independently setting the control signals for at least one of the multiplexers in at least one of the layers.

摘要翻译： 一种用于对输入寄存器的内容进行操作以产生包含有或没有重复的排列或输入寄存器的内容的组合的输出寄存器的内容的装置。 该设备将输入寄存器分割为多个子字，每个子字的特征在于输入寄存器中的一个位置，长度大于一位。 响应于指定输入寄存器的重排的指令，本发明将输入寄存器中的至少一个子字引导到输出寄存器中与输入中的子字占据的位置不同的位置 寄存器。 输出寄存器中的子字的排序与通过单个移位指令可获得的顺序不同。 在本发明的优选实施例中，本发明通过修改包括多层复用器的常规移位器来实现。 修改包括独立地设置至少一个层中的多路复用器中的至少一个的控制信号。

公开(公告)号：US4829424A

公开(公告)日：1989-05-09

申请号：US750576

申请日：1985-06-28

申请人： Ruby B. Lee

发明人： Ruby B. Lee

IPC分类号： G06F9/32 ,  G06F9/30 ,  G06F9/305 ,  G06F9/318

CPC分类号： G06F9/30167 ,  G06F9/30145 ,  Y10S707/99934

摘要： A computer instruction set is presented in accordance with the preferred embodiment of the present invention. Some instructions within the instruction set have immediate fields which are allowed to vary in length and fill up all unused bit positions in the instructions. A sign bit is in a fixed location for instructions within the instruction set. For example, the sign bit may be right justified with respect to the immediate field, that is the sign bit is put in the least significant (rightmost) bit position. This allows time-critical suboperations to proceed without waiting for the value of the sign bit to be located and decoded.

摘要翻译： 根据本发明的优选实施例呈现计算机指令集。 指令集中的某些指令具有允许长度变化并填充指令中的所有未使用位位置的立即字段。 符号位在指令集内的指令的固定位置。 例如，符号位可能相对于立即字段右对齐，即符号位置于最低有效位（最右侧）位。 这允许在不等待符号位的值被定位和解码的情况下进行时间关键的子波。

公开(公告)号：US09317708B2

公开(公告)日：2016-04-19

申请号：US12541823

申请日：2009-08-14

申请人： Ruby B. Lee ,  Jeffrey S. Dwoskin

发明人： Ruby B. Lee ,  Jeffrey S. Dwoskin

IPC分类号： H04L9/00 ,  G06F21/62 ,  H04L9/08

CPC分类号： G06F21/6218 ,  G06F21/575 ,  G06F2221/2107 ,  G06F2221/2115 ,  H04L9/083 ,  H04L9/0844 ,  H04L9/0894 ,  H04L2209/12 ,  H04L2209/60 ,  H04L2209/805

摘要： A trust system and method is disclosed for use in computing devices, particularly portable devices, in which a central Authority shares secrets and sensitive data with users of the respective devices. The central Authority maintains control over how and when shared secrets and data are used. In one embodiment, the secrets and data are protected by hardware-rooted encryption and cryptographic hashing, and can be stored securely in untrusted storage. The problem of transient trust and revocation of data is reduced to that of secure key management and keeping a runtime check of the integrity of the secure storage areas containing these keys (and other secrets). These hardware-protected keys and other secrets can further protect the confidentiality and/or integrity of any amount of other information of arbitrary size (e.g., files, programs, data) by the use of strong encryption and/or keyed-hashing, respectively. In addition to secrets the Authority owns, the system provides access to third party secrets from the computing devices. In one embodiment, the hardware-rooted encryption and hashing each use a single hardware register fabricated as part of the computing device's processor or System-on-Chip (SoC) and protected from external probing. The secret data is protected while in the device even during operating system malfunctions and becomes non-accessible from storage according to various rules, one of the rules being the passage of a certain time period. The use of the keys (or other secrets) can be bound to security policies that cannot be separated from the keys (or other secrets). The Authority is also able to establish remote trust and secure communications to the devices after deployment in the field using a special tamper-resistant hardware register in the device, to enable, disable or update the keys or secrets stored securely by the device.

摘要翻译： 公开了用于计算设备，特别是便携式设备的信任系统和方法，其中中央机构与相应设备的用户共享秘密和敏感数据。 中央管理局保持对如何和何时使用共享的秘密和数据的控制。 在一个实施例中，秘密和数据由硬件加密和加密散列保护，并且可以安全地存储在不可信存储中。 数据的瞬时信任和撤销的问题减少到安全密钥管理的问题，并保持包含这些密钥（和其他秘密）的安全存储区域的完整性的运行时检查。 这些硬件保护密钥和其他秘密可以分别通过使用强加密和/或键控散列来进一步保护任意大小的任何数量的其他信息（例如，文件，程序，数据）的机密性和/或完整性。 除了管理局拥有的秘密外，系统还提供从计算设备访问第三方秘密。 在一个实施例中，基于硬件的加密和散列各自使用作为计算设备的处理器或片上系统（SoC）的一部分制造的单个硬件寄存器，并且不受外部探测。 秘密数据在设备中受到保护，即使在操作系统故障期间，根据各种规则也不能从存储器访问，其中一个规则是经过一段时间。 密钥（或其他秘密）的使用可以绑定到不能与密钥（或其他秘密）分离的安全策略。 管理局还能够使用设备中的特殊防篡改硬件寄存器，在现场部署之后，向设备建立远程信任和安全通信，以启用，禁用或更新设备安全存储的密钥或秘密。

公开(公告)号：US08549208B2

公开(公告)日：2013-10-01

申请号：US12633500

申请日：2009-12-08

申请人： Ruby B. Lee ,  Zhenghong Wang

发明人： Ruby B. Lee ,  Zhenghong Wang

IPC分类号： G06F12/08

CPC分类号： G06F12/128 ,  G06F12/0802 ,  G06F12/0811 ,  G06F12/0846 ,  G06F12/0864 ,  G06F12/0891 ,  G06F2212/1021 ,  Y02B70/30 ,  Y02D10/13

摘要： A cache memory having enhanced performance and security feature is provided. The cache memory includes a data array storing a plurality of data elements, a tag array storing a plurality of tags corresponding to the plurality of data elements, and an address decoder which permits dynamic memory-to-cache mapping to provide enhanced security of the data elements, as well as enhanced performance. The address decoder receives a context identifier and a plurality of index bits of an address passed to the cache memory, and determines whether a matching value in a line number register exists. The line number registers allow for dynamic memory-to-cache mapping, and their contents can be modified as desired. Methods for accessing and replacing data in a cache memory are also provided, wherein a plurality of index bits and a plurality of tag bits at the cache memory are received. The plurality of index bits are processed to determine whether a matching index exists in the cache memory and the plurality of tag bits are processed to determine whether a matching tag exists in the cache memory, and a data line is retrieved from the cache memory if both a matching tag and a matching index exist in the cache memory. A random line in the cache memory can be replaced with a data line from a main memory, or evicted without replacement, based on the combination of index and tag misses, security contexts and protection bits. User-defined and/or vendor-defined replacement procedures can be utilized to replace data lines in the cache memory.

摘要翻译： 提供具有增强的性能和安全特征的高速缓冲存储器。 高速缓存存储器包括存储多个数据元素的数据阵列，存储与多个数据元素对应的多个标签的标签阵列，以及允许动态存储器到高速缓存映射以提供数据的增强安全性的地址解码器 元素，以及增强的性能。 地址解码器接收传递给高速缓冲存储器的地址的上下文标识符和多个索引位，并确定是否存在行号寄存器中的匹配值。 行号寄存器允许动态内存到高速缓存映射，并且可以根据需要修改其内容。 还提供了用于访问和替换高速缓冲存储器中的数据的方法，其中接收高速缓冲存储器处的多个索引位和多个标签位。 处理多个索引位以确定高速缓冲存储器中是否存在匹配索引，并且处理多个标签位以确定高速缓冲存储器中是否存在匹配标签，并且如果两者都是从高速缓冲存储器检索数据线 匹配标签和匹配索引存在于高速缓冲存储器中。 高速缓冲存储器中的随机行可以用来自主存储器的数据线替换，或者根据索引和标签未命中，安全上下文和保护位的组合而被驱逐而不需要替换。 可以利用用户定义的和/或供应商定义的替换过程来替代高速缓冲存储器中的数据线。

公开(公告)号：US20100180083A1

公开(公告)日：2010-07-15

申请号：US12633500

申请日：2009-12-08

申请人： Ruby B. Lee ,  Zhenghong Wang

发明人： Ruby B. Lee ,  Zhenghong Wang

IPC分类号： G06F12/08 ,  G06F12/00

CPC分类号： G06F12/128 ,  G06F12/0802 ,  G06F12/0811 ,  G06F12/0846 ,  G06F12/0864 ,  G06F12/0891 ,  G06F2212/1021 ,  Y02B70/30 ,  Y02D10/13

摘要： A cache memory having enhanced performance and security feature is provided. The cache memory includes a data array storing a plurality of data elements, a tag array storing a plurality of tags corresponding to the plurality of data elements, and an address decoder which permits dynamic memory-to-cache mapping to provide enhanced security of the data elements, as well as enhanced performance. The address decoder receives a context identifier and a plurality of index bits of an address passed to the cache memory, and determines whether a matching value in a line number register exists. The line number registers allow for dynamic memory-to-cache mapping, and their contents can be modified as desired. Methods for accessing and replacing data in a cache memory are also provided, wherein a plurality of index bits and a plurality of tag bits at the cache memory are received. The plurality of index bits are processed to determine whether a matching index exists in the cache memory and the plurality of tag bits are processed to determine whether a matching tag exists in the cache memory, and a data line is retrieved from the cache memory if both a matching tag and a matching index exist in the cache memory. A random line in the cache memory can be replaced with a data line from a main memory, or evicted without replacement, based on the combination of index and tag misses, security contexts and protection bits. User-defined and/or vendor-defined replacement procedures can be utilized to replace data lines in the cache memory.

摘要翻译： 提供具有增强的性能和安全特征的高速缓冲存储器。 高速缓存存储器包括存储多个数据元素的数据阵列，存储与多个数据元素对应的多个标签的标签阵列，以及允许动态存储器到高速缓存映射以提供数据的增强安全性的地址解码器 元素，以及增强的性能。 地址解码器接收传递给高速缓冲存储器的地址的上下文标识符和多个索引位，并确定是否存在行号寄存器中的匹配值。 行号寄存器允许动态内存到高速缓存映射，并且可以根据需要修改其内容。 还提供了用于访问和替换高速缓冲存储器中的数据的方法，其中接收高速缓冲存储器处的多个索引位和多个标签位。 处理多个索引位以确定高速缓冲存储器中是否存在匹配索引，并且处理多个标签位以确定高速缓冲存储器中是否存在匹配标签，并且如果两者都是从高速缓冲存储器检索数据线 匹配标签和匹配索引存在于高速缓冲存储器中。 高速缓冲存储器中的随机行可以用来自主存储器的数据线替换，或者根据索引和标签未命中，安全上下文和保护位的组合而被驱逐而不需要替换。 可以利用用户定义的和/或供应商定义的替换过程来替代高速缓冲存储器中的数据线。