公开(公告)号：US08813223B2

公开(公告)日：2014-08-19

申请号：US13557336

申请日：2012-07-25

申请人： Somnath Chakrabarti ,  Jason A. Davidson

发明人： Somnath Chakrabarti ,  Jason A. Davidson

IPC分类号： G06F11/00

CPC分类号： G06F9/455 ,  G06F9/45558 ,  H04L63/02 ,  H04L63/14 ,  H04L63/1416

摘要： Generally, this disclosure describes a secure network topology on a virtualized server (and methods thereof). A virtualization management module is deployed as part of a software layer of a virtualized server system. The virtualization management module generates an internal network among the virtual machines and controls access to the network. The virtualization management module translates incoming and outgoing traffic between the virtual machines and an external internet IP address, thus keeping the virtual machines indirectly coupled to the external network. The virtualization management module also provides remote administration and control over each virtual machine (or collection of virtual machines).

摘要翻译： 通常，本公开描述了虚拟化服务器上​​的安全网络拓扑（及其方法）。 虚拟化管理模块被部署为虚拟化服务器系统的软件层的一部分。 虚拟化管理模块在虚拟机之间生成内部网络，并控制对网络的访问。 虚拟化管理模块将虚拟机之间的传入和传出流量转换为外部互联网IP地址，从而保持虚拟机间接耦合到外部网络。 虚拟化管理模块还为每个虚拟机（或虚拟机集合）提供远程管理和控制。

公开(公告)号：US09069637B2

公开(公告)日：2015-06-30

申请号：US13556899

申请日：2012-07-24

申请人： Jason A. Davidson ,  Somnath Chakrabarti ,  Neeru S. Pahwa ,  Micah K. Bhatki

发明人： Jason A. Davidson ,  Somnath Chakrabarti ,  Neeru S. Pahwa ,  Micah K. Bhatki

IPC分类号： G06F9/445 ,  H04L29/06 ,  G06F21/57 ,  H04L29/08

CPC分类号： G06F21/575 ,  G06F8/62 ,  G06F9/4416 ,  G06F9/44526 ,  G06F9/45533 ,  H04L67/34 ,  H04L67/42

摘要： Generally, this disclosure provides methods and systems for dynamic feature enhancement in client server applications and for high volume server deployment with dynamic app store integration and further enable the delivery of a secure server in a pre-configured turnkey state through an automated process with increased efficiency tailored to mass production. The system may include a server application module configured to receive request packets from, and send response packets to, a web based client application, the packets comprising input data, output data and control commands associated with a feature; and a script engine module coupled to the server application module, the script engine module configured to identify a plug-in application on a remote server, download the plug-in application and execute the plug-in application under control of the server application module, wherein the plug-in application implements the feature.

摘要翻译： 通常，本公开提供了用于客户端服务器应用中的动态特征增强的方法和系统，以及通过动态应用商店集成进行大容量服务器部署的方法和系统，并且进一步使得能够通过自动化过程以预先配置的交钥匙状态递送安全服务器，效率提高 适合批量生产。 该系统可以包括：服务器应用模块，其被配置为从基于web的客户端应用接收包括输入数据，输出数据和与特征相关联的控制命令的分组的请求分组，并向其发送响应分组; 以及耦合到所述服务器应用模块的脚本引擎模块，所述脚本引擎模块被配置为识别远程服务器上的插件应用，下载所述插件应用并在所述服务器应用模块的控制下执行所述插件应用， 其中插件应用程序实现该特征。

公开(公告)号：US20130191823A1

公开(公告)日：2013-07-25

申请号：US13556899

申请日：2012-07-24

申请人： Jason A. Davidson ,  Somnath Chakrabarti ,  Neeru Pahwa ,  Micah Bhatki

发明人： Jason A. Davidson ,  Somnath Chakrabarti ,  Neeru Pahwa ,  Micah Bhatki

IPC分类号： G06F9/445 ,  G06F21/57

CPC分类号： G06F21/575 ,  G06F8/62 ,  G06F9/4416 ,  G06F9/44526 ,  G06F9/45533 ,  H04L67/34 ,  H04L67/42

摘要： Generally, this disclosure provides methods and systems for dynamic feature enhancement in client server applications and for high volume server deployment with dynamic app store integration and further enable the delivery of a secure server in a pre-configured turnkey state through an automated process with increased efficiency tailored to mass production. The system may include a server application module configured to receive request packets from, and send response packets to, a web based client application, the packets comprising input data, output data and control commands associated with a feature; and a script engine module coupled to the server application module, the script engine module configured to identify a plug-in application on a remote server, download the plug-in application and execute the plug-in application under control of the server application module, wherein the plug-in application implements the feature.

公开(公告)号：US20130191912A1

公开(公告)日：2013-07-25

申请号：US13557336

申请日：2012-07-25

申请人： Somnath Chakrabarti ,  Jason A. Davidson

发明人： Somnath Chakrabarti ,  Jason A. Davidson

IPC分类号： G06F9/455

CPC分类号： G06F9/455 ,  G06F9/45558 ,  H04L63/02 ,  H04L63/14 ,  H04L63/1416

摘要： Generally, this disclosure describes a secure network topology on a virtualized server (and methods thereof). A virtualization management module is deployed as part of a software layer of a virtualized server system. The virtualization management module generates an internal network among the virtual machines and controls access to the network. The virtualization management module translates incoming and outgoing traffic between the virtual machines and an external internet IP address, thus keeping the virtual machines indirectly coupled to the external network. The virtualization management module also provides remote administration and control over each virtual machine (or collection of virtual machines).

摘要翻译： 通常，本公开描述了虚拟化服务器上​​的安全网络拓扑（及其方法）。 虚拟化管理模块被部署为虚拟化服务器系统的软件层的一部分。 虚拟化管理模块在虚拟机之间生成内部网络，并控制对网络的访问。 虚拟化管理模块将虚拟机之间的传入和传出流量转换为外部互联网IP地址，从而保持虚拟机间接耦合到外部网络。 虚拟化管理模块还为每个虚拟机（或虚拟机集合）提供远程管理和控制。

公开(公告)号：US20170054557A1

公开(公告)日：2017-02-23

申请号：US14829340

申请日：2015-08-18

申请人： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. McKeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich

发明人： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. McKeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich

IPC分类号： H04L9/08 ,  H04L29/08 ,  G06F9/455

CPC分类号： H04L9/0891 ,  G06F9/45558 ,  G06F2009/45575 ,  G06F2009/45587 ,  H04L63/061 ,  H04L63/10 ,  H04L67/34

摘要： A processor to support platform migration of secure enclaves is disclosed. In one embodiment, the processor includes a memory controller unit to access secure enclaves and a processor core coupled to the memory controller unit. The processor core to identify a control structure associated with a secure enclave. The control structure comprises a plurality of data slots and keys associated with a first platform comprising the memory controller unit and the processor core. A version of data from the secure enclave is associated with the plurality of data slots. Migratable keys are generated as a replacement for the keys associated with the control structure. The migratable keys control access to the secure enclave. Thereafter, the control structure is migrated to a second platform to enable access to the secure enclave on the second platform.

摘要翻译： 公开了一种用于支持安全飞行器的平台迁移的处理器。 在一个实施例中，处理器包括存储器控制器单元以访问安全的包围层和耦合到存储器控制器单元的处理器核心。 处理器核心，用于识别与安全飞地相关联的控制结构。 控制结构包括与包括存储器控制器单元和处理器核心的第一平台相关联的多个数据时隙和密钥。 来自安全飞地的数据的版本与多个数据时隙相关联。 生成可迁移键作为与控制结构相关联的键的替代。 可移植键控制对安全飞地的访问。 此后，将控制结构迁移到第二平台以使得能够访问第二平台上的安全飞地。

公开(公告)号：US20180114013A1

公开(公告)日：2018-04-26

申请号：US15298419

申请日：2016-10-20

申请人： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

发明人： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

IPC分类号： G06F21/53 ,  G06F12/14 ,  G06F21/57 ,  G06F21/44 ,  G06F9/455 ,  G06F9/445

CPC分类号： G06F21/53 ,  G06F8/61 ,  G06F9/45558 ,  G06F12/1408 ,  G06F21/44 ,  G06F21/572 ,  G06F21/606 ,  G06F2009/45587 ,  G06F2212/1052 ,  G06F2212/152 ,  G06F2212/402

摘要： Methods and apparatus for extending packet processing to trusted programmable and fixed-function accelerators. Secure enclaves are created in system memory of a compute platform, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The compute platform further includes one or more hardware-based accelerators that are used by the software to offload packet processing operations. The accelerators are configured to read packet data from input queues, process the data, and output processed data to output queues, wherein the input and output queues are located in encrypted portions of memory that may be in a secure enclave or external to the secure enclaves. Tokens are used by accelerators to validate access to memory in secure enclaves, and used by both accelerators and secure enclaves to access encrypted memory external to secure enclaves.

公开(公告)号：US20180114012A1

公开(公告)日：2018-04-26

申请号：US15298416

申请日：2016-10-20

申请人： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

发明人： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

IPC分类号： G06F21/53 ,  G06F9/44 ,  G06F21/57 ,  G06F21/60 ,  G06F9/455 ,  G06F9/445

CPC分类号： G06F21/53 ,  G06F8/61 ,  G06F9/4406 ,  G06F9/45558 ,  G06F12/1036 ,  G06F12/109 ,  G06F12/1425 ,  G06F21/575 ,  G06F21/79 ,  G06F2009/45587 ,  G06F2212/1052 ,  H04L41/5041

摘要： Methods and apparatus for implemented trusted packet processing for multi-domain separatization and security. Secure enclaves are created in system memory of a compute platform configured to support a virtualized execution environment including a plurality of virtual machines (VMs) or containers, each secure enclave occupying a respective protected portion of the system memory, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The software in the secure enclaves is then executed to perform the packet processing operations. Various configurations of secure enclaves and software code may be implemented, including configurations supporting service chains both within a VM or contain or across multiple VMs or containers, as well a parallel packet processing operations.

公开(公告)号：US20160188873A1

公开(公告)日：2016-06-30

申请号：US14583620

申请日：2014-12-27

申请人： Ned M. Smith ,  Dmitri Rubakha ,  Samir Shah ,  Jason Martin ,  Micah J. Sheller ,  Somnath Chakrabarti ,  Bin Xing

发明人： Ned M. Smith ,  Dmitri Rubakha ,  Samir Shah ,  Jason Martin ,  Micah J. Sheller ,  Somnath Chakrabarti ,  Bin Xing

IPC分类号： G06F21/53 ,  H04L9/32

CPC分类号： G06F21/53 ,  G06F21/34 ,  G06F2221/033 ,  H04L9/321 ,  H04L9/3247 ,  H04L9/3263

摘要： In an example, a computing device includes a trusted execution environment (TEE), including an enclave. The enclave may include both a binary translation engine (BTE) and an input verification engine (IVE). In one embodiment, the IVE receives a trusted binary as an input, and analyzes the trusted binary to identify functions, classes, and variables that perform input/output operations. To ensure the security of these interfaces, those operations may be performed within the enclave. The IVE tags the trusted binary and provides the binary to the BTE. The BTE then translates the trusted binary into a second format, including designating the tagged portion for execution within the enclave. The BTE may also sign the new binary in the second format and export it out of the enclave.

摘要翻译： 在一个示例中，计算设备包括可信执行环境（TEE），包括飞地。 飞地可以包括二进制翻译引擎（BTE）和输入验证引擎（IVE）。 在一个实施例中，IVE接收可信二进制作为输入，并且分析可信二进制以识别执行输入/输出操作的功能，类和变量。 为了确保这些接口的安全性，可以在飞地内执行这些操作。 IVE标记可信任的二进制文件，并向BTE提供二进制文件。 BTE然后将可信二进制文件转换为第二格式，包括指定用于在飞地内执行的标记部分。 BTE也可能以第二种格式签署新的二进制文件，并将其从飞地出口。