-
公开(公告)号:US08462955B2
公开(公告)日:2013-06-11
申请号:US12793455
申请日:2010-06-03
申请人: Octavian T. Ureche , Nils Dussart , Michael A. Halcrow , Charles G. Jeffries , Nathan T. Lewis , Cristian M. Ilac , Innokentiy Basmov , Magnus Bo Gustaf Nyström , Niels T. Ferguson
发明人: Octavian T. Ureche , Nils Dussart , Michael A. Halcrow , Charles G. Jeffries , Nathan T. Lewis , Cristian M. Ilac , Innokentiy Basmov , Magnus Bo Gustaf Nyström , Niels T. Ferguson
CPC分类号: H04L9/0894 , H04L9/0822 , H04L63/061 , H04L2463/062
摘要: An online key stored by a remote service is generated or otherwise obtained, and a storage media (as it applies to the storage of data on a physical or virtual storage media) master key for encrypting and decrypting a physical or virtual storage media or encrypting and decrypting one or more storage media encryption keys that are used to encrypt a physical or virtual storage media is encrypted based at least in part on the online key. A key protector for the storage media is stored, the key protector including the encrypted master key. The key protector can be subsequently accessed, and the online key obtained from the remote service. The master key is decrypted based on the online key, allowing the one or more storage media encryption keys that are used to decrypt the storage media to be decrypted.
摘要翻译: 生成或以其他方式获得由远程服务存储的在线密钥,以及存储介质(适用于存储物理或虚拟存储介质上的数据)主密钥,用于加密和解密物理或虚拟存储介质或加密和 至少部分地基于在线密钥来加密用于加密物理或虚拟存储介质的一个或多个存储介质加密密钥的解密。 存储存储介质的密钥保护器,密钥保护器包括加密的主密钥。 随后可以访问密钥保护器,并从远程服务获取在线密钥。 主密钥基于在线密钥解密,允许用于解密存储介质的一个或多个存储介质加密密钥被解密。
-
公开(公告)号:US20110302398A1
公开(公告)日:2011-12-08
申请号:US12793455
申请日:2010-06-03
申请人: Octavian T. Ureche , Nils Dussart , Michael A. Halcrow , Charles G. Jeffries , Nathan T. Lewis , Cristian M. Ilac , Innokentiy Basmov , Bo Gustaf Magnus Nystr+e,uml o+ee m , Niels T. Ferguson
发明人: Octavian T. Ureche , Nils Dussart , Michael A. Halcrow , Charles G. Jeffries , Nathan T. Lewis , Cristian M. Ilac , Innokentiy Basmov , Bo Gustaf Magnus Nystr+e,uml o+ee m , Niels T. Ferguson
CPC分类号: H04L9/0894 , H04L9/0822 , H04L63/061 , H04L2463/062
摘要: An online key stored by a remote service is generated or otherwise obtained, and a storage media (as it applies to the storage of data on a physical or virtual storage media) master key for encrypting and decrypting a physical or virtual storage media or encrypting and decrypting one or more storage media encryption keys that are used to encrypt a physical or virtual storage media is encrypted based at least in part on the online key. A key protector for the storage media is stored, the key protector including the encrypted master key. The key protector can be subsequently accessed, and the online key obtained from the remote service. The master key is decrypted based on the online key, allowing the one or more storage media encryption keys that are used to decrypt the storage media to be decrypted.
摘要翻译: 生成或以其他方式获得由远程服务存储的在线密钥,以及存储介质(适用于存储物理或虚拟存储介质上的数据)主密钥,用于加密和解密物理或虚拟存储介质或加密和 至少部分地基于在线密钥来加密用于加密物理或虚拟存储介质的一个或多个存储介质加密密钥的解密。 存储存储介质的密钥保护器,密钥保护器包括加密的主密钥。 随后可以访问密钥保护器,并从远程服务获取在线密钥。 主密钥基于在线密钥解密,允许用于解密存储介质的一个或多个存储介质加密密钥被解密。
-
3.发明授权Systems and methods for an augmented interrupt controller and synthetic interrupt sources 有权扩展中断控制器和合成中断源的系统和方法公开(公告)号:US07689747B2
公开(公告)日:2010-03-30
申请号:US11092012
申请日:2005-03-28
申请人: Rene Antonio Vega , Nathan T. Lewis
发明人: Rene Antonio Vega , Nathan T. Lewis
IPC分类号: G06F13/24
CPC分类号: G06F13/26
摘要: Various embodiments of the present invention are directed to augmented interrupt controllers (AICs) and to synthetic interrupt sources (SISs) providing richer interrupt information (or “synthetic interrupts” or “SIs”). The AIC and SIS provide efficient means for sending and receiving interrupts, and particularly interrupts sent to and received by virtual machines. Several of these embodiments are specifically directed to an interrupt controller that is extended to accept and deliver additional information associated with an incoming interrupt. For certain such embodiments, a memory-mapped extension to the interrupt controller includes a data structure that is populated with the additional information as part of the interrupt delivery. Although several of the embodiments described herein are disclosed in the context of a virtual machine system, the inventions disclosed herein can also be applied to traditional computer systems (without a virtualization layer) as well.
摘要翻译: 本发明的各种实施例涉及增强中断控制器(AIC)和提供更丰富的中断信息(或“合成中断”或“SI”)的合成中断源(SIS)。 AIC和SIS提供发送和接收中断的有效手段,特别是发送到虚拟机并由其接收的中断。 这些实施例中的几个具体涉及一个中断控制器,该中断控制器被扩展以接受和传送与进入中断相关联的附加信息。 对于某些这样的实施例,对中断控制器的存储器映射扩展包括作为中断传递的一部分的附加信息的数据结构。 虽然本文所描述的几个实施例在虚拟机系统的上下文中被公开,但是本文公开的发明也可以应用于传统的计算机系统(没有虚拟化层)。
-
公开(公告)号:US08635612B2
公开(公告)日:2014-01-21
申请号:US11119200
申请日:2005-04-29
IPC分类号: G06F9/455
CPC分类号: G06F9/45533
摘要: Systems and methods are provided, whereby partitions may become enlightened and discover the presence of a hypervisor. Several techniques of hypervisor discovery are discussed, such as detecting the presence of virtual processor registers (e.g. model specific registers or special-purpose registers) or the presence of virtual hardware devices. Upon discovery, information (code and/or data) may be injected in a partition by the hypervisor, whereby such injection allows the partition to call the hypervisor. Moreover, the hypervisor may present a versioning mechanism that allows the partition to match up the version of the hypervisor to its virtual devices. Next, once code and/or data is injected, calling conventions are established that allow the partition and the hypervisor to communicate, so that the hypervisor may perform some operations on behalf of the partition. Four exemplary calling conventions are considered: restartable instructions, a looping mechanism, shared memory transport, and synchronous or asynchronous processed packets. Last, cancellation mechanisms are considered, whereby partition requests may be cancelled.
摘要翻译: 提供了系统和方法,由此分区可能变得开明并发现管理程序的存在。 讨论了管理程序发现的几种技术,例如检测虚拟处理器寄存器(例如模型特定寄存器或专用寄存器)的存在或虚拟硬件设备的存在。 一旦发现,信息(代码和/或数据)可以由管理程序注入到分区中,由此这种注入允许分区调用管理程序。 此外,管理程序可以呈现允许分区将虚拟机管理程序的版本与其虚拟设备相匹配的版本控制机制。 接下来,一旦注入了代码和/或数据,就建立了允许分区和管理程序进行通信的调用约定,以便管理程序可以代表分区执行一些操作。 考虑四个示例性的呼叫约定:可重新启动的指令,循环机制,共享存储器传输和同步或异步处理的分组。 最后,考虑取消机制,从而可能会取消分区请求。
-
公开(公告)号:US07913074B2
公开(公告)日:2011-03-22
申请号:US11864418
申请日:2007-09-28
CPC分类号: G06F15/16
摘要: Tools and techniques for securely launching encrypted operating systems are described herein. The tools may provide computing systems that include operating systems (OSs) that define boot paths for the systems. This boot path may include first and second OS loader components. The first loader may include instructions for retrieving a list of disk sectors from a first store, and for retrieving these specified sectors from an encrypted second store. The first loader may also store the sectors in a third store that is accessible to both the first and the second loader components, and may invoke the second loader to try launching the OS using these sectors. In turn, the second loader may include instructions for retrieving these sectors from the third store, and for unsealing a key for decrypting these sectors. The second loader may then decrypt these sectors, and attempt to launch the OS from these sectors.
摘要翻译: 本文描述了用于安全启动加密操作系统的工具和技术。 这些工具可以提供包括为系统定义引导路径的操作系统(OS)的计算系统。 该引导路径可以包括第一和第二OS加载器组件。 第一加载器可以包括用于从第一存储检索磁盘扇区列表的指令,并且用于从加密的第二存储中检索这些指定的扇区。 第一加载器还可以将扇区存储在第一和第二加载器组件可访问的第三个存储区中,并且可以调用第二加载器来尝试使用这些扇区启动操作系统。 反过来,第二装载器可以包括用于从第三商店检索这些扇区的指令,以及用于解密用于对这些扇区进行解密的密钥。 然后,第二加载器可以解密这些扇区,并尝试从这些扇区启动OS。
-
公开(公告)号:US20090089568A1
公开(公告)日:2009-04-02
申请号:US11864418
申请日:2007-09-28
IPC分类号: G06F15/177
CPC分类号: G06F15/16
摘要: Tools and techniques for securely launching encrypted operating systems are described herein. The tools may provide computing systems that include operating systems (OSs) that define boot paths for the systems. This boot path may include first and second OS loader components. The first loader may include instructions for retrieving a list of disk sectors from a first store, and for retrieving these specified sectors from an encrypted second store. The first loader may also store the sectors in a third store that is accessible to both the first and the second loader components, and may invoke the second loader to try launching the OS using these sectors. In turn, the second loader may include instructions for retrieving these sectors from the third store, and for unsealing a key for decrypting these sectors. The second loader may then decrypt these sectors, and attempt to launch the OS from these sectors.
摘要翻译: 本文描述了用于安全启动加密操作系统的工具和技术。 这些工具可以提供包括为系统定义引导路径的操作系统(OS)的计算系统。 该引导路径可以包括第一和第二OS加载器组件。 第一加载器可以包括用于从第一存储检索磁盘扇区列表的指令,并且用于从加密的第二存储中检索这些指定的扇区。 第一加载器还可以将扇区存储在第一和第二加载器组件可访问的第三个存储区中,并且可以调用第二加载器来尝试使用这些扇区启动操作系统。 反过来,第二装载器可以包括用于从第三商店检索这些扇区的指令,以及用于解密用于对这些扇区进行解密的密钥。 然后,第二加载器可以解密这些扇区,并尝试从这些扇区启动OS。
-
7.发明授权公开(公告)号:US07293251B2
公开(公告)日:2007-11-06
申请号:US10759818
申请日:2004-01-16
申请人: Pavel Zeman , Nathan T. Lewis , Kenneth D. Ray
发明人: Pavel Zeman , Nathan T. Lewis , Kenneth D. Ray
IPC分类号: G06F9/44
CPC分类号: G06F11/3664 , G06F11/362
摘要: Bifurcated processes, in which a shadow process in a first environment is controlling thread scheduling for a trusted agent in a second, high assurance environment, can be debugged via a two-phase initialization of the debugger. In the first phase, initial set up is accomplished for the trusted agent, but no shadow process will schedule execution for any thread of the trusted agent. The debugger will then be attached. In a second phase, the shadow process will begin scheduling threads for the trusted agent. In order to allow the debugger access to the process memory of the trusted agent or to set or get information regarding a particular thread of the trusted agent, a thread which is either a thread belonging to the trusted agent or belonging to the second execution environment and matched with the trusted agent is used. This admin thread is used to perform the work of retrieving process memory and information regarding threads of the trusted agent, allowing such information from the high assurance environment to be found and used in the debugger in the first execution environment.
摘要翻译: 可以通过调试器的两阶段初始化来调试在第一环境中的影子进程控制第二高保证环境中的可信代理的线程调度的分叉进程。 在第一阶段,为可信代理完成初始设置,但是没有影子进程将调度可信代理的任何线程的执行。 然后调试器将被附加。 在第二阶段,影子进程将开始为可信代理程序调度线程。 为了允许调试器访问可信代理的进程存储器,或设置或获取关于可信代理的特定线程的信息,作为属于可信代理或属于第二执行环境的线程的线程,以及 与可信代理匹配使用。 该管理线程用于执行检索进程内存和有关可信代理的线程的信息的工作,允许在第一执行环境中在调试器中找到并使用来自高保证环境的这些信息。
-
公开(公告)号:US09805196B2
公开(公告)日:2017-10-31
申请号:US12394430
申请日:2009-02-27
CPC分类号: G06F21/57 , A63F13/73 , A63F13/75 , G06F21/51 , G06F21/575 , G06F2221/2149 , G09C1/00 , H04L9/3234 , H04L9/3239 , H04L9/3271
摘要: An anti-cheating system may comprise a combination of a modified environment, such as a modified operating system, in conjunction with a trusted external entity to verify that the modified environment is running on a particular device. The modified environment may be may be modified in a particular manner to create a restricted environment as compared with an original environment which is replaced by the modified environment. The modifications to the modified environment may comprise alternations to the original environment to, for example, detect and/or prevent changes to the hardware and/or software intended to allow cheating or undesirable user behavior.
-
公开(公告)号:US08387152B2
公开(公告)日:2013-02-26
申请号:US12163426
申请日:2008-06-27
IPC分类号: G06F7/04 , G06F17/30 , G06F17/00 , G06F15/16 , G06F12/14 , G06F13/00 , G06F21/00 , H04N7/16 , H04L29/06 , H04L9/32 , H04L9/08
摘要: Computer systems and environments implemented herein permit a local machine increased participation in authorizing access to protected content. An operating system attests to a computing environment at a corresponding computer system. If the computing environment is one permitted to access protected content, the operating system is permitted to regulate further (e.g., application) access to protected content in accordance with a procreation policy. As such, authorization decisions are partially distributed, easing the resource burden on a content protection server. Accordingly, this computing environment can facilitate more robust and efficient authorization decisions when access to protected content is requested.
摘要翻译: 本文实现的计算机系统和环境允许本地机器增加对授权访问受保护内容的参与。 操作系统在相应的计算机系统上证明计算环境。 如果计算环境是允许访问受保护内容的计算环境,则允许操作系统根据生殖策略进一步(例如,应用)调整对受保护内容的访问。 因此,授权决定部分分配,减轻了内容保护服务器的资源负担。 因此,当请求对受保护内容的访问时,该计算环境可以促进更强大和有效的授权决定。
-
公开(公告)号:US20090327705A1
公开(公告)日:2009-12-31
申请号:US12163426
申请日:2008-06-27
摘要: The present invention extends to methods, systems, and computer program products for protecting content. Embodiments of the invention permit a local machine increased participation in authorizing access to protected content. An operating system attests to a computing environment at a corresponding computer system. If the computing environment is one permitted to access protected content, the operating system is permitted to regulate further (e.g., application) access to protected content in accordance with a procreation policy. As such, authorization decisions are partially distributed, easing the resource burden on a content protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested.
摘要翻译: 本发明扩展到用于保护内容的方法,系统和计算机程序产品。 本发明的实施例允许本地机器增加对授权对受保护内容的访问的参与。 操作系统在相应的计算机系统上证明计算环境。 如果计算环境是允许访问受保护内容的计算环境,则允许操作系统根据生殖策略进一步(例如,应用)调整对受保护内容的访问。 因此,授权决定部分分配,减轻了内容保护服务器的资源负担。 因此,当请求访问受保护内容时,本发明的实施例可以促进更强大和有效的授权决定。
-
-
-
-
-
-
-
-
-
搜索结果
13 条记录 (耗时 0.079 秒)
