专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US07730318B2 Integration of high-assurance features into an application through application factoring 有权
标题翻译：通过应用程序保理将高保证功能集成到应用程序中
公开(公告)号：US07730318B2
公开(公告)日：2010-06-01
申请号：US10693749
申请日：2003-10-24
申请人： Thekkthalackal Varugis Kurien , Kenneth D. Ray , Marcus Peinado , Paul England
发明人： Thekkthalackal Varugis Kurien , Kenneth D. Ray , Marcus Peinado , Paul England
IPC分类号： H04L9/32
CPC分类号： G06F21/53
摘要： Application factoring or partitioning is used to integrate secure features into a conventional application. An application's functionality is partitioned into two sets according to whether a given action does, or does not, involve the handling of sensitive data. Separate software objects (processors) are created to perform these two sets of actions. A trusted processor handles secure data and runs in a high-assurance environment. When another processor encounters secure data, that data is sent to the trusted processor. The data is wrapped in such a way that allows it to be routed to the trusted processor, and prevents the data from being deciphered by any entity other than the trusted processor. An infrastructure is provided that wraps objects, routes them to the correct processor, and allows their integrity to be attested through a chain of trust leading back to base component that is known to be trustworthy.
摘要翻译：应用因子分解或分区用于将安全特征集成到常规应用中。应用程序的功能根据给定操作是否涉及敏感数据的处理而分为两组。创建独立的软件对象（处理器）来执行这两组操作。值得信赖的处理器处理安全数据并在高保证环境中运行。当另一个处理器遇到安全数据时，该数据被发送到可信处理器。以允许将数据路由到可信处理器的方式包装数据，并且防止数据被除可信处理器之外的任何实体解密。提供了一个基础设施，用于包装对象，将它们路由到正确的处理器，并通过一系列信任来验证其完整性，并将其引导回已知可靠的基础组件。

2. 发明授权

US07694121B2 System and method for protected operating system boot using state validation 有权
标题翻译：使用状态验证的受保护操作系统引导的系统和方法
公开(公告)号：US07694121B2
公开(公告)日：2010-04-06
申请号：US10882134
申请日：2004-06-30
申请人： Bryan Mark Willman , Paul England , Kenneth D. Ray , Jamie Hunter , Lonnie Dean McMichael , Derek Norman LaSalle , Pierre Jacomet , Mark Eliot Paley , Thekkthalackal Varugis Kurien , David B. Cross
发明人： Bryan Mark Willman , Paul England , Kenneth D. Ray , Jamie Hunter , Lonnie Dean McMichael , Derek Norman LaSalle , Pierre Jacomet , Mark Eliot Paley , Thekkthalackal Varugis Kurien , David B. Cross
IPC分类号： G06F9/00
CPC分类号： G06F21/575 , G06F9/4401
摘要： A mechanism for protected operating system boot that prevents rogue components from being loaded with the operating system, and thus prevents divulgence of the system key under inappropriate circumstances. After a portion of the machine startup procedure has occurred, the operating system loader is run, the loader is validated, and a correct machine state is either verified to exist and/or created. Once the loader has been verified to be a legitimate loader, and the machine state under which it is running is verified to be correct, the loader's future behavior is known to protect against the loading of rogue components that could cause divulgence of the system key. With the loader's behavior being known to be safe for the system key, the validator may unseal the system key and provides it to the loader.
摘要翻译：用于保护操作系统启动的机制，可防止恶意组件与操作系统一起加载，从而防止系统密钥在不适当情况下泄露。在机器启动过程的一部分发生后，运行操作系统加载程序，验证加载程序，并验证是否存在和/或创建正确的机器状态。一旦加载程序已被验证为合法的装载程序，并且其运行的机器状态被验证为正确的，则加载程序的未来行为是已知的，以防止可能导致系统密钥泄露的流氓组件的加载。对于系统密钥，加载程序的行为被认为是安全的，验证器可以打开系统密钥并将其提供给加载程序。

3. 发明授权

US07418512B2 Securely identifying an executable to a trust-determining entity 有权
标题翻译：安全地识别信任确定实体的可执行文件
公开(公告)号：US07418512B2
公开(公告)日：2008-08-26
申请号：US10692224
申请日：2003-10-23
申请人： Paul England , Anshul Dhir , Thekkthalackal Varugis Kurien , Kenneth D. Ray
发明人： Paul England , Anshul Dhir , Thekkthalackal Varugis Kurien , Kenneth D. Ray
IPC分类号： G06F15/16
CPC分类号： G06F21/62
摘要： A resource is obtained from a resource provider (RP) for a resource requester (RR) operating on a computing device. The RR has an identity descriptor (id) associated therewith, where the id including security-related information specifying an environment in which the RR operates. A code identity (code-ID) is calculated corresponding to and based on the loaded RR and loaded id. The RP verifies that the calculated code-ID in a request for the resource matches one of one or more valid code-IDs for the identified RR to conclude that the RR and id can be trusted, and the RP responds to the forwarded request by providing the requested resource to the RR.
摘要翻译：从用于在计算设备上操作的资源请求者（RR）的资源提供者（RP）获得资源。 RR具有与其相关联的身份描述符（id），其中id包括指定RR操作的环境的安全相关信息。代码标识（代码ID）是根据加载的RR和加载的id来计算的。 RP验证在资源请求中计算的代码ID与所识别的RR的一个或多个有效代码ID中的一个匹配，以得出可以信任的RR和ID，并且RP通过提供转发的请求来响应转发的请求向RR请求的资源。

4. 发明申请

US20090313397A1 Methods and Systems for Protecting Data in USB Systems 审中-公开
标题翻译： USB系统数据保护方法与系统
公开(公告)号：US20090313397A1
公开(公告)日：2009-12-17
申请号：US12348487
申请日：2009-01-05
申请人： Paul England , Kenneth D. Ray , Marcus Peinado , John C. Dunn , Glen Slick , Bryan Willman
发明人： Paul England , Kenneth D. Ray , Marcus Peinado , John C. Dunn , Glen Slick , Bryan Willman
IPC分类号： G06F13/28
CPC分类号： G06F12/1408 , G06F3/065 , G06F13/28 , G06F13/362 , G06F13/4282 , G06F21/606 , G06F21/72 , G06F21/73 , G06F21/78 , G06F21/85 , G06F2212/1052 , G06F2221/0704 , G06F2221/2105 , G06F2221/2129 , G06F2221/2147 , G06F2221/2153
摘要： The various embodiments described below are directed to providing authenticated and confidential messaging from software executing on a host (e.g. a secure software application or security kernel) to and from I/O devices operating on a USB bus. The embodiments can protect against attacks that are levied by software executing on a host computer. In some embodiments, a secure functional component or module is provided and can use encryption techniques to provide protection against observation and manipulation of USB data. In other embodiments, USB data can be protected through techniques that do not utilized (or are not required to utilize) encryption techniques. In accordance with these embodiments, USB devices can be designated as “secure” and, hence, data sent over the USB to and from such designated devices can be provided into protected memory. Memory indirection techniques can be utilized to ensure that data to and from secure devices is protected.
摘要翻译：下面描述的各种实施例旨在从在USB总线上操作的I / O设备到主机（例如安全软件应用或安全内核）上执行的软件提供经认证和保密的消息传递。这些实施例可以防止在主计算机上执行的软件所征收的攻击。在一些实施例中，提供了安全的功能部件或模块，并且可以使用加密技术来提供对USB数据的观察和操纵的保护。在其他实施例中，USB数据可以通过不被利用（或不需要利用）加密技术的技术来保护。根据这些实施例，USB设备可以被指定为“安全”，因此，可以通过USB向这些指定设备发送和从这些指定设备发送的数据提供到受保护的存储器中。可以利用内存间接技术来确保进出安全设备的数据受到保护。

5. 发明授权

US07478235B2 Methods and systems for protecting data in USB systems 有权
标题翻译：在USB系统中保护数据的方法和系统
公开(公告)号：US07478235B2
公开(公告)日：2009-01-13
申请号：US10187259
申请日：2002-06-28
申请人： Paul England , Kenneth D. Ray , Marcus Peinado , John C. Dunn , Glen Slick , Bryan Willman
发明人： Paul England , Kenneth D. Ray , Marcus Peinado , John C. Dunn , Glen Slick , Bryan Willman
IPC分类号： H04L9/00 , H04L9/32 , G06F11/30
CPC分类号： G06F12/1408 , G06F3/065 , G06F13/28 , G06F13/362 , G06F13/4282 , G06F21/606 , G06F21/72 , G06F21/73 , G06F21/78 , G06F21/85 , G06F2212/1052 , G06F2221/0704 , G06F2221/2105 , G06F2221/2129 , G06F2221/2147 , G06F2221/2153
摘要： The various embodiments described below are directed to providing authenticated and confidential messaging from software executing on a host (e.g. a secure software application or security kernel) to and from I/O devices operating on a USB bus. The embodiments can protect against attacks that are levied by software executing on a host computer. In some embodiments, a secure functional component or module is provided and can use encryption techniques to provide protection against observation and manipulation of USB data. In other embodiments, USB data can be protected through techniques that do not utilized (or are not required to utilize) encryption techniques. In accordance with these embodiments, USB devices can be designated as “secure” and, hence, data sent over the USB to and from such designated devices can be provided into protected memory. Memory indirection techniques can be utilized to ensure that data to and from secure devices is protected.
摘要翻译：下面描述的各种实施例旨在从在USB总线上操作的I / O设备到主机（例如安全软件应用或安全内核）上执行的软件提供经认证和保密的消息传递。这些实施例可以防止在主计算机上执行的软件所征收的攻击。在一些实施例中，提供了安全的功能部件或模块，并且可以使用加密技术来提供对USB数据的观察和操纵的保护。在其他实施例中，USB数据可以通过不被利用（或不需要利用）加密技术的技术来保护。根据这些实施例，USB设备可以被指定为“安全”，因此，可以通过USB向这些指定设备发送和从这些指定设备发送的数据提供到受保护的存储器中。可以利用内存间接技术来确保进出安全设备的数据受到保护。

6. 发明授权

US08028172B2 Systems and methods for updating a secure boot process on a computer with a hardware security module 有权
标题翻译：使用硬件安全模块在计算机上更新安全引导过程的系统和方法
公开(公告)号：US08028172B2
公开(公告)日：2011-09-27
申请号：US11036018
申请日：2005-01-14
申请人： Jamie Hunter , Paul England , Russell Humphries , Stefan Thom , James Anthony Schwartz, Jr. , Kenneth D. Ray , Jonathan Schwartz
发明人： Jamie Hunter , Paul England , Russell Humphries , Stefan Thom , James Anthony Schwartz, Jr. , Kenneth D. Ray , Jonathan Schwartz
IPC分类号： H04L9/32
CPC分类号： G06F21/575
摘要： Systems and methods are provided for maintaining and updating a secure boot process on a computer with a trusted platform module (TPM). A boot process may be maintained by inspecting a log of TPM activity, determining data that prevented a secret to unseal, and returning the data to an original state. In situations where this type of recovery is not workable, techniques for authenticating a user may be used, allowing the authenticated user to bypass the security features of the boot process and reseal the boot secrets to platform configuration register (PCR) values that may have changed. Finally, a secure boot process may be upgraded by migrating TPM sealed secrets to a temporary storage location, updating one or more aspects of a secure boot process, and resealing the secrets to the resulting new platform configuration. Other advantages and features of the invention are described below.
摘要翻译：提供了系统和方法，用于在具有可信平台模块（TPM）的计算机上维护和更新安全引导过程。可以通过检查TPM活动的日志来确定启动过程，确定防止秘密解密的数据，并将数据返回到原始状态。在这种类型的恢复不可行的情况下，可以使用用于验证用户的技术，允许经过身份验证的用户绕过引导过程的安全特征并将启动秘密重新密封到可能已经改变的平台配置寄存器（PCR）值。最后，可以通过将TPM密封的秘密迁移到临时存储位置来升级安全引导过程，更新安全引导过程的一个或多个方面，以及将密码重新密封到所得到的新平台配置。下面描述本发明的其它优点和特征。

7. 发明授权

US07529946B2 Enabling bits sealed to an enforceably-isolated environment 有权
标题翻译：使密封到可强制隔离环境的位
公开(公告)号：US07529946B2
公开(公告)日：2009-05-05
申请号：US11155071
申请日：2005-06-16
申请人： Kenneth D. Ray , Paul England , Peter Nicholas Biddle
发明人： Kenneth D. Ray , Paul England , Peter Nicholas Biddle
IPC分类号： G06F11/30 , G06F12/14 , H04L9/32
CPC分类号： G06F21/53 , G06F21/10 , G06F2221/2149
摘要： Prevention of unpermitted use of enabling bits is achieved by sealing the enabling bits to an environment in such a way that the bits can only be unsealed by or from the environment, and by using an isolation mechanism to isolate the environment from other environments on the machine on which the environment operates. The environment is trusted not to use the enabling bits except in accordance with a set of rules governing the bits. The enabling bits may be a decryption key for DRM-protected content, and the rules may be a license governing the use of that content. Trust that the enabling bits will not be misused is established by trusting the environment not to use the enabling bits contrary to the rules, trusting the isolation mechanism to isolate the environment, and trusting the unsealing mechanism only to unseal the bits for the environment.
摘要翻译：通过将启用比特密封到环境来实现防止未使用的使能位，使得这些比特仅能够被环境打开，或者通过使用隔离机制将环境与机器上的其它环境隔离开来环境运行。环境被信任不使用启用位，除了根据一组管理位的规则。启用位可以是用于受DRM保护的内容的解密密钥，并且规则可以是管理该内容的使用的许可证。相信启用位不会被滥用是通过信任环境不使用与规则相反的使能位来建立的，相信隔离机制来隔离环境，并且信任开封机制仅仅是为了解开环境的位。

8. 发明授权

US07409719B2 Computer security management, such as in a virtual machine or hardened operating system 有权
标题翻译：计算机安全管理，如虚拟机或硬化操作系统
公开(公告)号：US07409719B2
公开(公告)日：2008-08-05
申请号：US11019094
申请日：2004-12-21
申请人： Benjamin Armstrong , Paul England , Scott A. Field , Jason Garms , Michael Kramer , Kenneth D. Ray
发明人： Benjamin Armstrong , Paul England , Scott A. Field , Jason Garms , Michael Kramer , Kenneth D. Ray
IPC分类号： G06F21/00
CPC分类号： G06F21/53 , G06F21/56 , G06F21/566
摘要： A security scheme provides security to one or more self-contained operating environment instances executing on a computer. The security scheme may include implementing a set of security applications that may be controlled by a supervisory process, or the like. Both the set of security applications and the supervisory process may operate on a host system of the computer, which may also provide a platform for execution of the one or more self-contained operating environments. The security scheme protects processes running in the one or more self-contained operating environment and processes running on the computer outside of the self-contained operating environments.
摘要翻译：安全方案为在计算机上执行的一个或多个自包含的操作环境实例提供安全性。安全方案可以包括实现可由监督过程等控制的一组安全应用。所述一组安全应用程序和监督过程可以在计算机的主机系统上操作，其还可以提供用于执行一个或多个独立操作环境的平台。安全性方案保护在独立操作环境中运行的进程和在独立操作环境之外的计算机上运行的进程。

9. 发明授权

US07530103B2 Projection of trustworthiness from a trusted environment to an untrusted environment 有权
标题翻译：从可信环境到不受信任的环境的可信赖性的投射
公开(公告)号：US07530103B2
公开(公告)日：2009-05-05
申请号：US10638199
申请日：2003-08-07
申请人： Bryan Mark Willman , Paul England , Kenneth D. Ray , Keith Kaplan , Varugis Kurien , Michael David Marr
发明人： Bryan Mark Willman , Paul England , Kenneth D. Ray , Keith Kaplan , Varugis Kurien , Michael David Marr
IPC分类号： G06F7/04 , H04L9/00 , G06F11/30
CPC分类号： G06F21/552 , G06F21/57
摘要： In a single machine that has entities running in an untrusted environment and entities running in a trusted environment, the trustworthiness of the entities in the trusted environment is projected to the entities in the untrusted environment. This is applicable, for example, to Microsoft®'s Next Generation Secure Computing Base (NGSCB), where a regular operating system (e.g., the Windows® operating system) hosts a secure operating system (e.g., the nexus).
摘要翻译：在具有在不受信任的环境中运行的实体的单个机器以及在可信环境中运行的实体的情况下，可信环境中的实体的可信度将投影到不受信任的环境中的实体。这适用于例如Microsoft（R）的下一代安全计算基础（NGSCB），其中常规操作系统（例如Windows（R）操作系统））承载安全操作系统（例如，连接）。

10. 发明授权

US07506380B2 Systems and methods for boot recovery in a secure boot process on a computer with a hardware security module 有权
标题翻译：在具有硬件安全模块的计算机上的安全引导过程中启动恢复的系统和方法
公开(公告)号：US07506380B2
公开(公告)日：2009-03-17
申请号：US11035715
申请日：2005-01-14
申请人： Jamie Hunter , Paul England , Russell Humphries , Stefan Thom , James Anthony Schwartz, Jr. , Kenneth D. Ray , Jonathan Schwartz
发明人： Jamie Hunter , Paul England , Russell Humphries , Stefan Thom , James Anthony Schwartz, Jr. , Kenneth D. Ray , Jonathan Schwartz
IPC分类号： G06F21/02 , G06F11/30 , G06F9/00 , H04L9/00 , H04K1/00
CPC分类号： G06F21/575 , G06F2221/2101
摘要： Systems and methods are provided for maintaining and updating a secure boot process on a computer with a trusted platform module (TPM). A boot process may be maintained by inspecting a log of TPM activity, determining data that prevented a secret to unseal, and returning the data to an original state. In situations where this type of recovery is not workable, techniques for authenticating a user may be used, allowing the authenticated user to bypass the security features of the boot process and reseal the boot secrets to platform configuration register (PCR) values that may have changed. Finally, a secure boot process may be upgraded by migrating TPM sealed secrets to a temporary storage location, updating one or more aspects of a secure boot process, and resealing the secrets to the resulting new platform configuration. Other advantages and features of the invention are described below.
摘要翻译：提供了系统和方法，用于在具有可信平台模块（TPM）的计算机上维护和更新安全引导过程。可以通过检查TPM活动的日志来确定启动过程，确定防止秘密解密的数据，并将数据返回到原始状态。在这种类型的恢复不可行的情况下，可以使用用于验证用户的技术，允许经过身份验证的用户绕过引导过程的安全特征并将启动秘密重新密封到可能已经改变的平台配置寄存器（PCR）值。最后，可以通过将TPM密封的秘密迁移到临时存储位置来升级安全引导过程，更新安全引导过程的一个或多个方面，以及将密码重新密封到所得到的新平台配置。下面描述本发明的其它优点和特征。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式