公开(公告)号：US11062033B2

公开(公告)日：2021-07-13

申请号：US16409902

申请日：2019-05-13

Applicant: VMWARE, INC.

Inventor： Alok Nemchand Kataria ,  Sachin Shinde ,  Achindra Bhatnagar

IPC: G06F21/57 ,  G06F21/71 ,  G06F21/64

Abstract: The disclosure herein describes verifying integrity of security policies on a client device. Policy data sets associated with security applications of virtual machines on the client device are received from a server and stored on the client device. An integrity verifier on the client device receives verified checksums from the server, wherein the verified checksums are associated with the policy data sets. Client-side checksums are generated by the integrity verifier based on the stored policy data sets. Upon generating the client-side checksums, the integrity verifier compares the verified checksums to the generated client-side checksums. Based on the comparison indicating that a verified checksum and a client-side checksum differ, the integrity verifier generates a checksum failure indicator, wherein the client device is configured to take corrective measures to restore integrity of the virtual machines based on the checksum failure indicator.

公开(公告)号：US20200218792A1

公开(公告)日：2020-07-09

申请号：US16296273

申请日：2019-03-08

Applicant: VMWARE, INC.

Inventor： ALOK NEMCHAND KATARIA ,  Achindra Bhatnagar ,  Sachin Shinde ,  Martim Carbone ,  Deep Shah

IPC: G06F21/12 ,  G06F21/60 ,  G06F21/62 ,  G06F21/64 ,  H04L9/32

Abstract: Techniques for verifying the integrity of application data using secure hardware enclaves are provided. In one set of embodiments, a client system can create a secure hardware enclave on the client system and load program code for an integrity verifier into the secure hardware enclave. The client system can further receive a dataset from a server system and store the dataset at a local storage or memory location, and receive, via the integrity verifier, a cryptographic hash of the dataset from the server system and store the received cryptographic hash at a memory location within the secure hardware enclave. Then, on a periodic basis, the integrity verifier can compute a cryptographic hash of the stored dataset, compare the computed cryptographic hash against the stored cryptographic hash, and if the computed cryptographic hash does not match the stored cryptographic hash, determine that the stored dataset has been modified.

公开(公告)号：US11170077B2

公开(公告)日：2021-11-09

申请号：US16296273

申请日：2019-03-08

Applicant: VMWARE, INC.

Inventor： Alok Nemchand Kataria ,  Achindra Bhatnagar ,  Sachin Shinde ,  Martim Carbone ,  Deep Shah

IPC: G06F21/12 ,  G06F21/60 ,  H04L9/32 ,  G06F21/64 ,  G06F21/62

Abstract: Techniques for verifying the integrity of application data using secure hardware enclaves are provided. In one set of embodiments, a client system can create a secure hardware enclave on the client system and load program code for an integrity verifier into the secure hardware enclave. The client system can further receive a dataset from a server system and store the dataset at a local storage or memory location, and receive, via the integrity verifier, a cryptographic hash of the dataset from the server system and store the received cryptographic hash at a memory location within the secure hardware enclave. Then, on a periodic basis, the integrity verifier can compute a cryptographic hash of the stored dataset, compare the computed cryptographic hash against the stored cryptographic hash, and if the computed cryptographic hash does not match the stored cryptographic hash, determine that the stored dataset has been modified.

公开(公告)号：US20200272742A1

公开(公告)日：2020-08-27

申请号：US16409902

申请日：2019-05-13

Applicant: VMWARE, INC.

Inventor： ALOK NEMCHAND KATARIA ,  Sachin Shinde ,  Achindra Bhatnagar

IPC: G06F21/57 ,  G06F21/64 ,  G06F21/71

Abstract: The disclosure herein describes verifying integrity of security policies on a client device. Policy data sets associated with security applications of virtual machines on the client device are received from a server and stored on the client device. An integrity verifier on the client device receives verified checksums from the server, wherein the verified checksums are associated with the policy data sets. Client-side checksums are generated by the integrity verifier based on the stored policy data sets. Upon generating the client-side checksums, the integrity verifier compares the verified checksums to the generated client-side checksums. Based on the comparison indicating that a verified checksum and a client-side checksum differ, the integrity verifier generates a checksum failure indicator, wherein the client device is configured to take corrective measures to restore integrity of the virtual machines based on the checksum failure indicator.