公开(公告)号：US08060934B2

公开(公告)日：2011-11-15

申请号：US12059387

申请日：2008-03-31

申请人： Serdar Cabuk ,  David Plaquin ,  Christopher Ian Dalton

发明人： Serdar Cabuk ,  David Plaquin ,  Christopher Ian Dalton

IPC分类号： G06F11/00 ,  G06F17/30

CPC分类号： G06F21/57

摘要： A method and apparatus are provided for tracking the state of a software component in use on a computing platform. Upon a change of a first type in the software component (such as a change to an integrity-critical part of the component), an appropriate integrity metric of the software component is reliably measured and recorded in cumulative combination with any previous integrity metric values recorded for changes of the first type to the software component. Upon a change of a second type in the software component (such as a change to a non integrity-critical part of the component), an appropriate integrity metric of the software component is reliably measured and recorded as a replacement for any previous integrity metric value recorded for changes of the second type to the software component. The two resultant values provide an indication of the integrity state of the software component.

摘要翻译： 提供了一种用于跟踪在计算平台上使用的软件组件的状态的方法和装置。 在软件组件中的第一类型的更改（例如对组件的完整性关键部分的改变）中，可以可靠地测量和记录软件组件的适当的完整性度量并且与所记录的任何先前的完整性度量值 用于将第一类型更改为软件组件。 在软件组件中的第二类型的更改（例如对组件的非完整性关键部分的改变）中，软件组件的适当的完整性度量被可靠地测量并记录为任何先前的完整性度量值 记录第二类型与软件组件的变化。 两个结果值提供了软件组件的完整性状态的指示。

公开(公告)号：US20090013406A1

公开(公告)日：2009-01-08

申请号：US12059387

申请日：2008-03-31

申请人： Serdar CABUK ,  David Plaquin ,  Christopher Ian Dalton

发明人： Serdar CABUK ,  David Plaquin ,  Christopher Ian Dalton

IPC分类号： G06F11/00

CPC分类号： G06F21/57

摘要： A method and apparatus are provided for tracking the state of a software component in use on a computing platform. Upon a change of a first type in the software component (such as a change to an integrity-critical part of the component), an appropriate integrity metric of the software component is reliably measured and recorded in cumulative combination with any previous integrity metric values recorded for changes of the first type to the software component. Upon a change of a second type in the software component (such as a change to a non integrity-critical part of the component), an appropriate integrity metric of the software component is reliably measured and recorded as a replacement for any previous integrity metric value recorded for changes of the second type to the software component. The two resultant values provide an indication of the integrity state of the software component.

摘要翻译： 提供了一种用于跟踪在计算平台上使用的软件组件的状态的方法和装置。 在软件组件中的第一类型的更改（例如对组件的完整性关键部分的改变）中，可以可靠地测量和记录软件组件的适当的完整性度量并且与所记录的任何先前的完整性度量值 用于将第一类型更改为软件组件。 在软件组件中的第二类型的更改（例如对组件的非完整性关键部分的改变）中，软件组件的适当的完整性度量被可靠地测量并记录为任何先前的完整性度量值 记录第二类型与软件组件的变化。 两个结果值提供了软件组件的完整性状态的指示。

公开(公告)号：US09361462B2

公开(公告)日：2016-06-07

申请号：US12638726

申请日：2009-12-15

申请人： Liqun Chen ,  Mark Ryan ,  David Plaquin ,  Serdar Cabuk

发明人： Liqun Chen ,  Mark Ryan ,  David Plaquin ,  Serdar Cabuk

IPC分类号： G06F21/57

CPC分类号： G06F21/57

摘要： A method and system is provided for operatively associating a signing key with a software component of a computing platform. The computing platform includes a trusted device and on start-up first loads a set of software components with each component being measured prior to loading and a corresponding integrity metric recorded in registers of the trusted device. The system stores a key-related item in secure persistent storage, the key-related item being either the signing key or authorization data for its use. The trusted device is arranged to enable a component of the software-component set to obtain the key-related item, this enabling only occurring when the current register values correspond to values only present prior to loading of components additional to those of the software-component set. Certificate evidence is provided indicating that the signing key is operatively associated with a component of the software-component set.

摘要翻译： 提供了一种用于将签名密钥与计算平台的软件组件可操作地相关联的方法和系统。 计算平台包括可信设备，并且在启动时首先加载一组软件组件，每个组件在加载之前被测量，以及相应的完整性度量记录在可信设备的寄存器中。 系统将密钥相关项目存储在安全永久存储中，密钥相关项目是签名密钥或授权数据供其使用。 可信设备被布置为使得软件组件集合的组件能够获得密钥相关项目，这仅在当前寄存器值对应于仅在向软件组件的组件加载之外的组件加载之前存在的值时才发生 组。 提供了证明证据，指示签名密钥与软件组件集合的组件可操作地相关联。

公开(公告)号：US20100161998A1

公开(公告)日：2010-06-24

申请号：US12638726

申请日：2009-12-15

申请人： Liqun Chen ,  Mark Ryan ,  David Plaquin ,  Serdar Cabuk

发明人： Liqun Chen ,  Mark Ryan ,  David Plaquin ,  Serdar Cabuk

IPC分类号： G06F21/00

CPC分类号： G06F21/57

摘要： A method and system is provided for operatively associating a signing key with a software component of a computing platform. The computing platform includes a trusted device and on start-up first loads a set of software components with each component being measured prior to loading and a corresponding integrity metric recorded in registers of the trusted device. The system stores a key-related item in secure persistent storage, the key-related item being either the signing key or authorisation data for its use. The trusted device is arranged to enable a component of the software-component set to obtain the key-related item, this enabling only occurring when the current register values correspond to values only present prior to loading of components additional to those of the software-component set. Certificate evidence is provided indicating that the signing key is operatively associated with a component of the software-component set.

摘要翻译： 提供了一种用于将签名密钥与计算平台的软件组件可操作地相关联的方法和系统。 计算平台包括可信设备，并且在启动时首先加载一组软件组件，每个组件在加载之前被测量，以及相应的完整性度量记录在可信设备的寄存器中。 系统将密钥相关项目存储在安全永久存储中，密钥相关项目是签名密钥或授权数据供其使用。 可信设备被布置为使得软件组件集合的组件能够获得密钥相关项目，这仅在当前寄存器值对应于仅在向软件组件的组件加载之外的组件加载之前存在的值时才发生 组。 提供了证明证据，指示签名密钥与软件组件集合的组件可操作地相关联。

公开(公告)号：US08069450B2

公开(公告)日：2011-11-29

申请号：US10765827

申请日：2004-01-26

申请人： Yolanta Beresnevichiene ,  David Plaquin ,  Christopher I. Dalton

发明人： Yolanta Beresnevichiene ,  David Plaquin ,  Christopher I. Dalton

IPC分类号： G06F3/00 ,  G06F9/44 ,  G06F9/46 ,  G06F13/00

CPC分类号： G06F21/62 ,  G06F9/468 ,  G06F21/52 ,  G06F21/6209 ,  G06F2221/2141 ,  G06F2221/2153

摘要： A method of computer operating system data management comprising the steps of: (a) associating data management information with data input to a process (300); and (b) regulating operating system operations involving the data according to the data management information is provided (310). A computing platform (1) for operating system data management is also provided. Furthermore, a computer program including instructions configured to enable operating system data management, an operating system, and an operating system data management method and apparatus arranged to identify data having data management information associated therewith when that data is read into a memory space are provided.

摘要翻译： 一种计算机操作系统数据管理的方法，包括以下步骤：（a）将数据管理信息与输入到过程（300）的数据相关联; 提供（b）根据数据管理信息调整涉及数据的操作系统操作（310）。 还提供了用于操作系统数据管理的计算平台（1）。 此外，提供了包括被配置为使得操作系统数据管理的指令，操作系统和操作系统数据管理方法和装置的计算机程序，其被配置为当该数据被读入存储器空间时，识别与其相关联的数据管理信息的数据。

公开(公告)号：US20060265598A1

公开(公告)日：2006-11-23

申请号：US11389336

申请日：2006-03-23

申请人： David Plaquin ,  Marco Ricca ,  Boris Balacheff

发明人： David Plaquin ,  Marco Ricca ,  Boris Balacheff

IPC分类号： G06K9/00 ,  G06F12/14 ,  H04L9/00 ,  H04L9/32 ,  G06F17/30 ,  G06F12/00 ,  G06F11/00 ,  H04K1/00 ,  G06F11/30 ,  G06F15/16 ,  G06F13/00 ,  G06F12/16 ,  G06F7/04 ,  G06F15/18 ,  G06F7/58 ,  G08B23/00 ,  G06K19/00 ,  G11C7/00

CPC分类号： H04L63/0853 ,  H04L63/0892

摘要： A method for managing access to a computing environment by a computing device includes providing at least one credential that identifies both the computing device and a user of the computing device, storing data at the computing environment relating to the computing device and the user in association with the credential, and selectively granting an access request received from the computing device using the credential in accordance with the data stored at the computing environment.

公开(公告)号：US08539587B2

公开(公告)日：2013-09-17

申请号：US11908920

申请日：2006-03-22

申请人： Graeme John Proudler ,  William Burton ,  Dirk Kuhlmann ,  David Plaquin

发明人： Graeme John Proudler ,  William Burton ,  Dirk Kuhlmann ,  David Plaquin

IPC分类号： G06F21/00

CPC分类号： G06F21/64 ,  G06F21/57

摘要： A data structure has within it the following elements: an identification of a data structure type; and a proof that two or more instances of the data structure type are as trustworthy as each other. Methods and devices using such data structures are described.

摘要翻译： 数据结构中包含以下元素：数据结构类型的标识; 以及数据结构类型的两个或多个实例彼此信任的证明。 描述使用这种数据结构的方法和装置。

公开(公告)号：US07467370B2

公开(公告)日：2008-12-16

申请号：US11090964

申请日：2005-03-25

申请人： Graeme John Proudler ,  Boris Balacheff ,  David Plaquin

发明人： Graeme John Proudler ,  Boris Balacheff ,  David Plaquin

IPC分类号： G06F9/44

CPC分类号： G06F21/57 ,  G06F21/575 ,  G06F21/62 ,  G06F2221/2105 ,  G06F2221/2145 ,  G06F2221/2149 ,  G06F2221/2153

摘要： A computer apparatus for creating a trusted environment comprising a trusted device arranged to acquire a first integrity metric to allow determination as to whether the computer apparatus is operating in a trusted manner; a processor arranged to allow execution of a first trust routine and associated first operating environment, and means for restricting the first operating environment access to resources available to the trust routine, wherein the trust routine being arranged to acquire the first integrity metric and a second integrity metric to allow determination as to whether the first operating environment is operating in a trusted manner.

摘要翻译： 一种用于创建可信环境的计算机设备，包括被配置为获取第一完整性度量以允许确定所述计算机设备是否以可信任方式操作的信任设备; 布置成允许执行第一信任例程和相关联的第一操作环境的处理器以及用于限制第一操作环境访问可用于信任例程的资源的装置，其中所述信任例程被布置为获取第一完整性度量和第二完整性度量 以允许确定第一操作环境是否以可信任的方式操作。

公开(公告)号：US20080282348A1

公开(公告)日：2008-11-13

申请号：US11908920

申请日：2006-03-22

申请人： Graeme John Proudler ,  William Burton ,  Dirk Kuhlmann ,  David Plaquin

发明人： Graeme John Proudler ,  William Burton ,  Dirk Kuhlmann ,  David Plaquin

IPC分类号： G06F21/00

CPC分类号： G06F21/64 ,  G06F21/57

摘要： A data structure has within it the following elements: an identification of a data structure type; and a proof that two or more instances of the data structure type are as trustworthy as each other. Methods and devices using such data structures are described.

摘要翻译： 数据结构中包含以下元素：数据结构类型的标识; 以及数据结构类型的两个或多个实例彼此信任的证明。 描述使用这种数据结构的方法和装置。

公开(公告)号：US20050223221A1

公开(公告)日：2005-10-06

申请号：US11090964

申请日：2005-03-25

申请人： Graeme Proudler ,  Boris Balacheff ,  David Plaquin

发明人： Graeme Proudler ,  Boris Balacheff ,  David Plaquin

IPC分类号： G06F21/57 ,  G06F21/62 ,  G06F9/45

CPC分类号： G06F21/57 ,  G06F21/575 ,  G06F21/62 ,  G06F2221/2105 ,  G06F2221/2145 ,  G06F2221/2149 ,  G06F2221/2153

摘要： A computer apparatus for creating a trusted environment comprising a trusted device arranged to acquire a first integrity metric to allow determination as to whether the computer apparatus is operating in a trusted manner; a processor arranged to allow execution of a first trust routine and associated first operating environment, and means for restricting the first operating environment access to resources available to the trust routine, wherein the trust routine being arranged to acquire the first integrity metric and a second integrity metric to allow determination as to whether the first operating environment is operating in a trusted manner.

摘要翻译： 一种用于创建可信环境的计算机设备，包括被配置为获取第一完整性度量以允许确定所述计算机设备是否以可信任方式操作的信任设备; 布置成允许执行第一信任例程和相关联的第一操作环境的处理器以及用于限制第一操作环境访问可用于信任例程的资源的装置，其中所述信任例程被布置为获取第一完整性度量和第二完整性度量 以允许确定第一操作环境是否以可信任的方式操作。