公开(公告)号：US20120226903A1

公开(公告)日：2012-09-06

申请号：US13412382

申请日：2012-03-05

申请人： David Durham ,  Hormuzd M. Khosravi ,  Uri Blumenthal ,  Men Long

发明人： David Durham ,  Hormuzd M. Khosravi ,  Uri Blumenthal ,  Men Long

IPC分类号： H04L29/06

CPC分类号： G06F21/54 ,  H04L9/004 ,  H04L9/3236 ,  H04L63/123 ,  H04L63/126 ,  H04L63/20 ,  H04L2209/60

摘要： Apparatuses, articles, methods, and systems for secure platform voucher service for software within an execution environment. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by authenticated, authorized and verified software components. A provisioning remote entity or gateway only needs to know a platform's public key or certificate hierarchy to receive verification for any component. The verification or voucher helps assure to the remote entity that no malware running in the platform or on the network will have access to provisioned material. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the software component.

摘要翻译： 用于执行环境中的软件的安全平台凭证服务的设备，物品，方法和系统。 一个实施例包括虚拟机监视器，操作系统监视器或其他底层平台功能的能力，以限制仅通过认证的，授权和验证的软件组件进行访问的存储器区域。 配置远程实体或网关只需要知道平台的公钥或证书层次结构来接收任何组件的验证。 验证或凭证有助于向远程实体确保在平台或网络上运行的恶意软件无法访问配置的资料。 代表在受保护的内存区域中提供的经认证/授权/验证的软件组件的软件组件可访问的基础平台来锁定和解锁秘密。

公开(公告)号：US08132003B2

公开(公告)日：2012-03-06

申请号：US11864573

申请日：2007-09-28

申请人： David Durham ,  Hormuzd M. Khosravi ,  Uri Blumenthal ,  Men Long

发明人： David Durham ,  Hormuzd M. Khosravi ,  Uri Blumenthal ,  Men Long

IPC分类号： H04L29/06

CPC分类号： G06F21/54 ,  H04L9/004 ,  H04L9/3236 ,  H04L63/123 ,  H04L63/126 ,  H04L63/20 ,  H04L2209/60

摘要： Embodiments of apparatus, articles, methods, and systems for secure platform voucher service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. A provisioning remote entity or gateway only needs to know a platform's public key or certificate hierarchy in order to receive verification proof for any component in the platform. The verification proof or voucher helps to assure to the remote entity that no man-in-the-middle, rootkit, spyware or other malware running in the platform or on the network will have access to the provisioned material. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed.

摘要翻译： 这里一般地描述用于执行环境中的软件组件的安全平台凭单服务的装置，物品，方法和系统的实施例。 一个实施例包括虚拟机监视器，操作系统监视器或其他底层平台功能的能力，以限制存储器区域，以便仅通过特定认证的，授权的和已验证的软件组件进行访问，即使在其他受损的操作系统环境的一部分。 配置远程实体或网关只需要知道平台的公钥或证书层次结构，以便接收平台中任何组件的验证证明。 验证证明或凭证有助于向远程实体确保在平台或网络上运行的中间人，rootkit，间谍软件或其他恶意软件将无法访问所提供的资料。 代表被保护的内存区域中提供的经过身份验证/授权/验证的软件组件的锁定和解锁秘密的底层平台只能由经过身份验证/授权/验证的软件组件访问。 可以描述和要求保护其他实施例。

公开(公告)号：US08499151B2

公开(公告)日：2013-07-30

申请号：US13412382

申请日：2012-03-05

申请人： David Durham ,  Hormuzd M. Khosravi ,  Uri Blumenthal ,  Men Long

发明人： David Durham ,  Hormuzd M. Khosravi ,  Uri Blumenthal ,  Men Long

IPC分类号： H04L29/06

CPC分类号： G06F21/54 ,  H04L9/004 ,  H04L9/3236 ,  H04L63/123 ,  H04L63/126 ,  H04L63/20 ,  H04L2209/60

摘要： Apparatuses, articles, methods, and systems for secure platform voucher service for software within an execution environment. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by authenticated, authorized and verified software components. A provisioning remote entity or gateway only needs to know a platform's public key or certificate hierarchy to receive verification for any component. The verification or voucher helps assure to the remote entity that no malware running in the platform or on the network will have access to provisioned material. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the software component.

摘要翻译： 用于执行环境中的软件的安全平台凭证服务的设备，物品，方法和系统。 一个实施例包括虚拟机监视器，操作系统监视器或其他底层平台功能的能力，以限制仅通过认证的，授权和验证的软件组件进行访问的存储器区域。 配置远程实体或网关只需要知道平台的公钥或证书层次结构来接收任何组件的验证。 验证或凭证有助于向远程实体确保在平台或网络上运行的恶意软件无法访问配置的资料。 代表在受保护的内存区域中提供的经认证/授权/验证的软件组件的软件组件可访问的基础平台来锁定和解锁秘密。

公开(公告)号：US20080022129A1

公开(公告)日：2008-01-24

申请号：US11864573

申请日：2007-09-28

申请人： David Durham ,  Hormuzd Khosravi ,  Uri Blumenthal ,  Men Long

发明人： David Durham ,  Hormuzd Khosravi ,  Uri Blumenthal ,  Men Long

IPC分类号： H04L9/00 ,  G06F12/14 ,  H04L9/32

CPC分类号： G06F21/54 ,  H04L9/004 ,  H04L9/3236 ,  H04L63/123 ,  H04L63/126 ,  H04L63/20 ,  H04L2209/60

摘要： Embodiments of apparatus, articles, methods, and systems for secure platform voucher service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise comprised operating system environment. A provisioning remote entity or gateway only needs to know a platform's public key or certificate hierarchy in order to receive verification proof for any component in the platform. The verification proof or voucher helps to assure to the remote entity that no man-in-the-middle, rootkit, spyware or other malware running in the platform or on the network will have access to the provisioned material. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed.

摘要翻译： 这里一般地描述用于执行环境中的软件组件的安全平台凭单服务的装置，物品，方法和系统的实施例。 一个实施例包括虚拟机监视器，操作系统监视器或其他底层平台功能的能力，以限制仅通过特定认证的，授权的和已验证的软件组件进行访问的存储器区域，即使在另外包含的操作系统环境的一部分。 配置远程实体或网关只需要知道平台的公钥或证书层次结构，以便接收平台中任何组件的验证证明。 验证证明或凭证有助于向远程实体确保在平台或网络上运行的中间人，rootkit，间谍软件或其他恶意软件将无法访问所提供的资料。 代表被保护的内存区域中提供的经过身份验证/授权/验证的软件组件的锁定和解锁秘密的底层平台只能由经过身份验证/授权/验证的软件组件访问。 可以描述和要求保护其他实施例。

公开(公告)号：US08839450B2

公开(公告)日：2014-09-16

申请号：US11833073

申请日：2007-08-02

申请人： David Durham ,  Hormuzd Khosravi ,  Uri Blumenthal ,  Men Long

发明人： David Durham ,  Hormuzd Khosravi ,  Uri Blumenthal ,  Men Long

IPC分类号： G06F12/14 ,  G06F17/30

CPC分类号： G06F21/6209 ,  G06F12/1408 ,  G06F12/1466 ,  G06F12/1475 ,  G06F21/52 ,  G06F21/53

摘要： Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed.

摘要翻译： 这里一般地描述用于执行环境中的软件组件的安全保险库服务的装置，物品，方法和系统的实施例。 一个实施例包括虚拟机监视器，操作系统监视器或其他底层平台功能的能力，以限制存储器区域，以便仅通过特定认证的，授权的和已验证的软件组件进行访问，即使在其他受损的操作系统环境的一部分。 代表被保护的内存区域中提供的经过身份验证/授权/验证的软件组件的锁定和解锁秘密的底层平台只能由经过身份验证/授权/验证的软件组件访问。 可以描述和要求保护其他实施例。

公开(公告)号：US20090038017A1

公开(公告)日：2009-02-05

申请号：US11833073

申请日：2007-08-02

申请人： David Durham ,  Hormuzd Khosravi ,  Uri Blumenthal ,  Men Long

发明人： David Durham ,  Hormuzd Khosravi ,  Uri Blumenthal ,  Men Long

IPC分类号： H04L9/32 ,  G06F12/14

CPC分类号： G06F21/6209 ,  G06F12/1408 ,  G06F12/1466 ,  G06F12/1475 ,  G06F21/52 ,  G06F21/53

摘要： Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed.

摘要翻译： 这里一般地描述用于执行环境中的软件组件的安全保险库服务的装置，物品，方法和系统的实施例。 一个实施例包括虚拟机监视器，操作系统监视器或其他底层平台功能的能力，以限制存储器区域，以便仅通过特定认证的，授权的和已验证的软件组件进行访问，即使在其他受损的操作系统环境的一部分。 代表被保护的内存区域中提供的经过身份验证/授权/验证的软件组件的锁定和解锁秘密的底层平台只能由经过身份验证/授权/验证的软件组件访问。 可以描述和要求保护其他实施例。

公开(公告)号：US20100250797A1

公开(公告)日：2010-09-30

申请号：US12415612

申请日：2009-03-31

申请人： Hormuzd M. Khosravi ,  Venkat R. Gokulrangan ,  Yasser Rasheed ,  Men Long

发明人： Hormuzd M. Khosravi ,  Venkat R. Gokulrangan ,  Yasser Rasheed ,  Men Long

IPC分类号： G06F3/00

CPC分类号： G06F21/561 ,  G06F21/51 ,  G06F21/56 ,  G06F21/74 ,  G06F21/85 ,  G06F2221/034 ,  G06F2221/2101 ,  G06F2221/2105

摘要： A platform to support verification of the contents of an input-output device. The platform includes a platform hardware, which may verify the contents of the I/O device. The platform hardware may comprise components such as manageability engine and verification engine that are used to verify the contents of the I/O device even before the contents of the I/O device are exposed to an operating system supported by a host. The platform components may delete the infected portions of the contents of I/O device if the verification process indicates that the contents of the I/O device include the infected portions.

摘要翻译： 支持验证输入输出设备内容的平台。 该平台包括可以验证I / O设备内容的平台硬件。 即使在I / O设备的内容暴露于由主机支持的操作系统之前，平台硬件也可以包括用于验证I / O设备的内容的诸如可管理性引擎和验证引擎的组件。 如果验证过程指示I / O设备的内容包括感染部分，则平台组件可以删除I / O设备的内容的感染部分。

公开(公告)号：US09064116B2

公开(公告)日：2015-06-23

申请号：US12941915

申请日：2010-11-08

申请人： Nicholas D. Triantafillou ,  Paritosh Saxena ,  Robert W. Strong ,  Richard J. Heiler ,  Eliezer Tamir ,  Simoni Ben-Michael ,  Brad W. Stewart ,  Akshay R. Kadam ,  Men Long ,  James T. Doyle ,  Hormuzd M. Khosravi ,  Lokpraveen B. Mosur ,  Edward J. Pullin ,  Paul S. Schmitz ,  Carol L. Barrett ,  Paul J. Thadikaran

发明人： Nicholas D. Triantafillou ,  Paritosh Saxena ,  Robert W. Strong ,  Richard J. Heiler ,  Eliezer Tamir ,  Simoni Ben-Michael ,  Brad W. Stewart ,  Akshay R. Kadam ,  Men Long ,  James T. Doyle ,  Hormuzd M. Khosravi ,  Lokpraveen B. Mosur ,  Edward J. Pullin ,  Paul S. Schmitz ,  Carol L. Barrett ,  Paul J. Thadikaran

IPC分类号： G06F12/00 ,  G06F21/56

CPC分类号： G06F21/566

摘要： Techniques for a data storage device to locally implement security management functionality. In an embodiment, a security management process of the data storage device is to determine whether an access to non-volatile media of the data storage device is authorized. In certain embodiments, the data storage device is to restrict access to a secure region of the non-volatile storage media, the secure region to store information used and/or generated by a security management process of the data storage device.

摘要翻译： 用于数据存储设备本地实现安全管理功能的技术。 在一个实施例中，数据存储设备的安全管理过程是确定对数据存储设备的非易失性介质的访问是否被授权。 在某些实施例中，数据存储设备将限制对非易失性存储介质的安全区域的访问，该安全区域用于存储由数据存储设备的安全管理过程使用和/或生成的信息。

公开(公告)号：US08468279B2

公开(公告)日：2013-06-18

申请号：US12415612

申请日：2009-03-31

申请人： Hormuzd M. Khosravi ,  Venkat R. Gokulrangan ,  Yasser Rasheed ,  Men Long

发明人： Hormuzd M. Khosravi ,  Venkat R. Gokulrangan ,  Yasser Rasheed ,  Men Long

IPC分类号： G06F3/00 ,  G06F5/00

CPC分类号： G06F21/561 ,  G06F21/51 ,  G06F21/56 ,  G06F21/74 ,  G06F21/85 ,  G06F2221/034 ,  G06F2221/2101 ,  G06F2221/2105

摘要： A platform to support verification of the contents of an input-output device. The platform includes a platform hardware, which may verify the contents of the I/O device. The platform hardware may comprise components such as manageability engine and verification engine that are used to verify the contents of the I/O device even before the contents of the I/O device are exposed to an operating system supported by a host. The platform components may delete the infected portions of the contents of I/O device if the verification process indicates that the contents of the I/O device include the infected portions.

公开(公告)号：US08214902B2

公开(公告)日：2012-07-03

申请号：US12487878

申请日：2009-06-19

申请人： Hormuzd M. Khosravi ,  Vincent E. Von Bokern ,  Men Long

发明人： Hormuzd M. Khosravi ,  Vincent E. Von Bokern ,  Men Long

IPC分类号： G06F12/14 ,  G06F11/30 ,  H04L29/06 ,  H04L9/32 ,  H03K19/003

CPC分类号： G06F21/565

摘要： An embodiment may include circuitry that may be comprised in a host. The host may include memory and a host processor to execute an operating system. The circuitry may be to determine, independently of the operating system and the host processor, the authenticity of signature list information, based at least in part upon authentication information received by the circuitry from a remote server. The circuitry also may be to determine, independently of the operating system and the host processor, based at least in part upon comparison of at least one portion of the signature list information with at least one portion of contents of the memory, whether authorized and/or malicious data are present in the at least one portion of the contents of the memory. Of course, many variations, modifications, and alternatives are possible without departing from this embodiment.

摘要翻译： 实施例可以包括可以包括在主机中的电路。 主机可以包括存储器和主机处理器来执行操作系统。 该电路可以至少部分地基于电路从远程服务器接收的认证信息来独立于操作系统和主处理器来确定签名列表信息的真实性。 电路还可以至少部分地基于对签名列表信息的至少一部分与存储器的内容的至少一部分进行比较来独立于操作系统和主处理器来确定是否授权和/ 或恶意数据存在于存储器的内容的至少一部分中。 当然，在不偏离本实施例的情况下，可以进行许多变化，修改和替换。