Настройки

Укажите год
-

Небесная энциклопедия

Космические корабли и станции, автоматические КА и методы их проектирования, бортовые комплексы управления, системы и средства жизнеобеспечения, особенности технологии производства ракетно-космических систем

Подробнее
-

Мониторинг СМИ

Мониторинг СМИ и социальных сетей. Сканирование интернета, новостных сайтов, специализированных контентных площадок на базе мессенджеров. Гибкие настройки фильтров и первоначальных источников.

Подробнее

Форма поиска

Поддерживает ввод нескольких поисковых фраз (по одной на строку). При поиске обеспечивает поддержку морфологии русского и английского языка
Ведите корректный номера.
Ведите корректный номера.
Ведите корректный номера.
Ведите корректный номера.
Укажите год
Укажите год
Применить Всего найдено 245. Отображено 116.
08-09-2016 дата публикации

METHOD AND APPARATUS FOR SECURE NETWORK ENCLAVES

Номер: US20160261570A1
Автор: Karanvir Grewal, Men Long, Prashant Dewan, GREWAL KARANVIR, LONG MEN, DEWAN PRASHANT, Grewal Karanvir, Long Men, Dewan Prashant
Принадлежит:

Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature. The server may also provide the client with new session keys and/or new client session identifiers using server-generated derivation keys if desired, protecting these with the client authorization key. 1. A method for secure network communications , the method comprising:initiating, by a server, authentication with a central network authority, wherein the server is different from the central network authority;receiving, by the server, from the central network authority a first derivation key;receiving, by the server from a client, a first communication including a client identifier that is provided by the central network authority;generating, by the server, a client authorization key as a pseudo-random function of (i) the client identifier and (ii) the first derivation key; andproducing, by the server, a new session key and a new session identifier for the client and encrypting the new session key and the new session identifier using the client authorization key, wherein the new session key and the new session identifier are produced using a second derivation key generated by the server.2. The method of claim 1 , further comprising encrypting claim ...

Подробнее
Номер записи: 1
10-11-2016 дата публикации

COMPUTING PLATFORM SECURITY METHODS AND APPARATUS

Номер: US20160328562A1
Автор: Paritosh Saxena, Adrian M.M.T. Dunbar, Michael S. Hughes, John Teddy, David Michael Durham, Balaji Vembu, Prashant Dewan, Debra Cablao, Nicholas D. Triantafillou, Jason M. Surprise, SAXENA PARITOSH, DUNBAR ADRIAN M M T, HUGHES MICHAEL S, TEDDY JOHN, DURHAM DAVID MICHAEL, VEMBU BALAJI, DEWAN PRASHANT, CABLAO DEBRA, TRIANTAFILLOU NICHOLAS D, SURPRISE JASON M, Saxena Paritosh, Dunbar Adrian M.M.T., Hughes Michael S., Teddy John, Durham David Michael, Vembu Balaji, Dewan Prashant, Cablao Debra, Triantafillou Nicholas D., Surprise Jason M.
Принадлежит:

Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution. 1. An apparatus , comprising:a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and determine whether the central processing unit or the graphics processing unit is to execute the security task; and', 'when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution., 'an offloader to2. An apparatus as defined in claim 1 , wherein claim 1 , when the offloader offloads the security task to the graphics processing unit claim 1 , execution of at least one operation of the security task does not consume a cycle of the central processing unit.3. An apparatus as defined in claim 1 , wherein the offloader is to determine whether the central processing unit or the graphics processing unit is to execute the security task based on at least one of a first current workload of the central processing unit or a second current workload of the central processing unit.4. An apparatus as defined in claim 1 , wherein the offloader is to determine whether the central processing unit or the graphics processing unit is to execute the security task based on at least one of a size of the security task or a type of the security task.5. An apparatus as defined in claim 1 , wherein ...

Подробнее
Номер записи: 2
27-06-2017 дата публикации

Computing platform security methods and apparatus

Номер: US0009690928B2
Автор: Paritosh Saxena, Adrian M. M. T. Dunbar, Michael S. Hughes, John Teddy, David Michael Durham, Balaji Vembu, Prashant Dewan, Debra Cablao, Nicholas D. Triantafillou, Jason M. Surprise, SAXENA PARITOSH, DUNBAR ADRIAN M M T, HUGHES MICHAEL S, TEDDY JOHN, DURHAM DAVID MICHAEL, VEMBU BALAJI, DEWAN PRASHANT, CABLAO DEBRA, TRIANTAFILLOU NICHOLAS D, SURPRISE JASON M, Saxena Paritosh, Dunbar Adrian M. M. T., Hughes Michael S., Teddy John, Durham David Michael, Vembu Balaji, Dewan Prashant, Cablao Debra, Triantafillou Nicholas D., Surprise Jason M.
Принадлежит: McAfee, Inc., MCAFEE INC

Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution.

Подробнее
Номер записи: 3
29-12-2016 дата публикации

BINDING A TRUSTED INPUT SESSION TO A TRUSTED OUTPUT SESSION

Номер: US20160380985A1
Автор: Siddhartha Chhabra, Prashant Dewan, Reshma Lal, Ulhas S. Warrier, CHHABRA SIDDHARTHA, DEWAN PRASHANT, LAL RESHMA, WARRIER ULHAS S, Chhabra Siddhartha, Dewan Prashant, Lal Reshma, Warrier Ulhas S.
Принадлежит: Intel Corporation

According to an embodiment provided herein, there is provided a system that binds a trusted output session to a trusted input session. The system includes a processor to execute an enclave application in an architecturally protected memory. The system includes at least one logic unit forming a trusted entity to, responsive to a request to set up a trusted I/O session, generate a unique session identifier logically associated with the trusted I/O session and set a trusted I/O session indicator to a first state. The system includes at least one logic unit forming a cryptographic module to, responsive to the request to set up the trusted I/O session, receive an encrypted encryption key and the unique session identifier from the enclave application; verify the unique session identifier; and responsive a successful verification, decrypt and save the decrypted encryption key in an encryption key register. 1. A system that binds a trusted output session to a trusted input session to provide a trusted input/output (I/O) session , comprising:a processor to execute an enclave application in an architecturally protected memory; generate a unique session identifier logically associated with the trusted I/O session;', 'store the unique session identifier at an address in the architecturally protected memory accessible to the enclave application; and', 'set a trusted I/O session indicator to a first state; and, 'at least one logic unit forming a trusted entity to, responsive to receipt of a request from the enclave application to open a trusted I/O session receive the unique session identifier from the trusted entity;', 'receive an encrypted encryption key and the unique session identifier written to the architecturally protected memory from the enclave application;', 'verify the unique session identifier received from the trusted entity against the unique session identifier received from the enclave application; and', 'responsive a successful verification, decrypt and save the ...

Подробнее
Номер записи: 4
13-12-2016 дата публикации

Secure environment for graphics processing units

Номер: US0009519803B2
Автор: Prashant Dewan, Uday R. Savagaonkar, David M. Durham, Paul S. Schmitz, Jason Martin, Michael Goldsmith, Ravi L. Sahita, Francis X. McKeen, Carlos Rozas, Balaji Vembu, Scott Janus, Geoffrey S. Strongin, Xiaozhu Kang, Karanvir S. Grewal, Siddhartha Chhabra, Alpha T. Narendra Trivedi, DEWAN PRASHANT, SAVAGAONKAR UDAY R, DURHAM DAVID M, SCHMITZ PAUL S, MARTIN JASON, GOLDSMITH MICHAEL, SAHITA RAVI L, MCKEEN FRANCIS X, ROZAS CARLOS, VEMBU BALAJI, JANUS SCOTT, STRONGIN GEOFFREY S, KANG XIAOZHU, GREWAL KARANVIR S, CHHABRA SIDDHARTHA, NARENDRA TRIVEDI ALPHA T, Dewan Prashant, Savagaonkar Uday R., Durham David M., Schmitz Paul S., Martin Jason, Goldsmith Michael, Sahita Ravi L., McKeen Francis X., Rozas Carlos, Vembu Balaji, Janus Scott, Strongin Geoffrey S., Kang Xiaozhu, Grewal Karanvir S., Chhabra Siddhartha, Narendra Trivedi Alpha T.
Принадлежит: Intel Corporation, INTEL CORP

In accordance with some embodiments, a protected execution environment may be defined for a graphics processing unit. This framework not only protects the workloads from malware running on the graphics processing unit but also protects those workloads from malware running on the central processing unit. In addition, the trust framework may facilitate proof of secure execution by measuring the code and data structures used to execute the workload. If a part of the trusted computing base of this framework or protected execution environment is compromised, that part can be patched remotely and the patching can be proven remotely throughout attestation in some embodiments.

Подробнее
Номер записи: 5
05-12-2017 дата публикации

Binding a trusted input session to a trusted output session

Номер: US0009838367B2
Автор: Siddhartha Chhabra, Prashant Dewan, Reshma Lal, Ulhas S. Warrier, CHHABRA SIDDHARTHA, DEWAN PRASHANT, LAL RESHMA, WARRIER ULHAS S, Chhabra Siddhartha, Dewan Prashant, Lal Reshma, Warrier Ulhas S.
Принадлежит: INTEL CORPORATION, INTEL CORP, Intel Corporation

According to an embodiment provided herein, there is provided a system that binds a trusted output session to a trusted input session. The system includes a processor to execute an enclave application in an architecturally protected memory. The system includes at least one logic unit forming a trusted entity to, responsive to a request to set up a trusted I/O session, generate a unique session identifier logically associated with the trusted I/O session and set a trusted I/O session indicator to a first state. The system includes at least one logic unit forming a cryptographic module to, responsive to the request to set up the trusted I/O session, receive an encrypted encryption key and the unique session identifier from the enclave application; verify the unique session identifier; and responsive a successful verification, decrypt and save the decrypted encryption key in an encryption key register.

Подробнее
Номер записи: 6
28-07-2015 дата публикации

Protecting systems from unauthorized access to system resources using browser independent web page technology

Номер: US0009092617B2
Автор: Dewan Prashant, Hong Li, David M. Durham, PRASHANT DEWAN, LI HONG, DURHAM DAVID M, DURHAM DAVID M.
Принадлежит: Intel Corporation, INTEL CORP, INTEL CORPORATION

In some embodiments, a filter may filter web graphics library code executing on the graphics processing unit. As a result the web graphics library code may be prevented from accessing memory or other resources that are not allocated specifically for the web graphics library module. Likewise web graphics library code may not access any shared resources that have been explicitly assigned to the process specific web graphics library module.

Подробнее
Номер записи: 7
18-12-2013 дата публикации

Method and apparatus for transparently instrumenting an application program

Номер: CN103460179A
Автор: Sahita Ravi L., Durham David M., Dewan Prashant, Castelino Manohar R.
Принадлежит:

Generally, this disclosure describes systems and methods for transparently instrumenting a computer process. The systems and methods are configured to allow instrumenting executable code while permitting legacy memory scanning tools to monitor corresponding uninstrumented executable code stored in memory.

Подробнее
Номер записи: 8
22-11-2016 дата публикации

Secure video ouput path

Номер: US0009501668B2
Автор: Siddhartha Chhabra, Uday R. Savagaonkar, Prashant Dewan, David M. Durham, Balaji Vembu, Xiaozhu Kang, Scott Janus, Jason Martin, Vincent R. Scarlata, CHHABRA SIDDHARTHA, SAVAGAONKAR UDAY R, DEWAN PRASHANT, DURHAM DAVID M, VEMBU BALAJI, KANG XIAOZHU, JANUS SCOTT, MARTIN JASON, SCARLATA VINCENT R, Chhabra Siddhartha, Savagaonkar Uday R., Dewan Prashant, Durham David M., Vembu Balaji, Kang Xiaozhu, Janus Scott, Martin Jason, Scarlata Vincent R.
Принадлежит: Intel Corporation, CHHABRA SIDDHARTHA, SAVAGAONKAR UDAY R, DEWAN PRASHANT, DURHAM DAVID M, VEMBU BALAJI, KANG XIAOZHU, JANUS SCOTT, MARTIN JASON, SCARLATA VINCENT R, INTEL CORP, Chhabra Siddhartha, Savagaonkar Uday R., Dewan Prashant, Durham David M., Vembu Balaji, Kang Xiaozhu, Janus Scott, Martin Jason, Scarlata Vincent R.

Systems and methods for secure delivery of output surface bitmaps to a display engine. An example processing system comprises: an architecturally protected memory; and a processing core communicatively coupled to the architecturally protected memory, the processing core comprising a processing logic configured to implement an architecturally-protected execution environment by performing at least one of: executing instructions residing in the architecturally protected memory and preventing an unauthorized access to the architecturally protected memory; wherein the processing logic is further configured to provide a secure video output path by generating an output surface bitmap encrypted with a first encryption key and storing an encrypted first encryption key in an external memory, wherein the encrypted first encryption key is produced by encrypting the first encryption key with a second encryption key.

Подробнее
Номер записи: 9
29-07-2015 дата публикации

Web application container for client-level runtime control

Номер: CN104813331A
Автор: Li Hong, Dewan Prashant
Принадлежит:

Technologies for establishing client-level web application runtime control using a computing device include receiving application code for a browser-based application from a web server and generating machine-executable code and an access control map for the application code. The computing device receives application security information associated with the application code from local and/or remote security applications and performs a security assessment of the application code based on the application security information and the access control map. Further, the computing device establishes a runtime security policy for the browser-based application and enforces that policy.

Подробнее
Номер записи: 10
10-11-2015 дата публикации

Apparatus and method for page walk extension for enhanced security checks

Номер: US0009183161B2
Автор: Gur Hildesheim, Ittai Anati, Hisham Shafi, Shlomo Raikin, Gideon Gerzon, Uday R Savagaonkar, Carlos V Rozas, Francis X McKeen, Michael A Goldsmith, Dewan Prashant, HILDESHEIM GUR, ANATI ITTAI, SHAFI HISHAM, RAIKIN SHLOMO, GERZON GIDEON, SAVAGAONKAR UDAY R, ROZAS CARLOS V, MCKEEN FRANCIS X, GOLDSMITH MICHAEL A, PRASHANT DEWAN
Принадлежит: INTEL CORPORATION, INTEL CORP

An apparatus and method for managing a protection table by a processor. For example, a processor according to one embodiment of the invention comprises: protection table management logic to manage a protection table, the protection table having an entry for each protected page or each group of protected pages in memory; wherein the protection table management logic prevents direct access to the protection table by user application program code and operating system program code but permits direct access by the processor.

Подробнее
Номер записи: 11
22-06-2017 дата публикации

SECURELY ROUTING SENSOR DATA FROM SENSORS TO A TRUSTED EXECUTION ENVIRONMENT (TEE)

Номер: US20170180386A1
Автор: Prashant Dewan, Uttam K. Sengupta, Kumar N. Dwarakanath, Elad Eyal, DEWAN PRASHANT, SENGUPTA UTTAM K, DWARAKANATH KUMAR N, EYAL ELAD, Dewan Prashant, Sengupta Uttam K., Dwarakanath Kumar N., Eyal Elad
Принадлежит:

Various configurations and methods for providing a secure transfer of data from computing device sensors to a Trusted Execution Environment (TEE) are disclosed. As disclosed, various data flows, data sequences, and configurations are provided to allow sensor data to maintain integrity and confidentiality while being accessed by trusted agents of a TEE. In an example, a microcontroller-based TEE is operated to communicate with a sensor hub via a secure hardware channel. The microcontroller-based TEE is configured to receive the sensor data via the secure hardware channel, and communicate the sensor data to other trusted agents in the computing system via secure communications. Other variations of secure communications among multiple sensors, trusted agents, TEEs, and third party services are also disclosed. 1. An apparatus , comprising:a sensor hub, the sensor hub coupled to a sensor, the sensor hub to receive sensor data from the sensor;a microcontroller, the microcontroller coupled to the sensor hub via a secure hardware channel, the microcontroller to perform operations that:execute a trusted execution environment (TEE):receive in the TEE, via the secure hardware channel, the sensor data; andcommunicate, from the TEE, the sensor data to a trusted agent, the trusted agent in secure communication with the TEE.2. The apparatus of claim 1 , further comprising:a second sensor, wherein the sensor hub is further coupled to the second sensor, and wherein the sensor data includes data from the second sensor.3. The apparatus of claim 1 , wherein the trusted agent in secure communication with the TEE is provided from a host-based TEE claim 1 , wherein the host-based TEE is executed within an operating system claim 1 , and wherein the operations of the microcontroller that communicate the sensor data to the trusted agent claim 1 , include operations that:establish an application programming interface (API);receive a request from the host-based TEE, via the API, for the sensor ...

Подробнее
Номер записи: 12
22-06-2017 дата публикации

SECURE REMOTE DEBUGGING OF SoCs

Номер: US20170176524A1
Автор: Prashant Dewan, Siddhartha Chhabra, DEWAN PRASHANT, CHHABRA SIDDHARTHA, Dewan Prashant, Chhabra Siddhartha
Принадлежит:

Techniques for secure remote debugging of SoCs are described. The SoC includes an intellectual property (IP) block, a microcontroller, and a fabric coupled to the IP block and the microcontroller. The IP block transmits, via the fabric, information regarding events within the IP block to the microcontroller. The microcontroller executes firmware including a network stack and a remote debugger program. Using the firmware, the microcontroller provides the event information to a device external to the SoC. 1. A system on a chip (SoC) , comprising:an intellectual property (IP) block to produce an event;a microcontroller to execute firmware comprising a network stack and a remote debugger program; anda fabric coupled to the microcontroller and the IP block;wherein the IP block is to transmit, over the fabric, information about the produced event to the microcontroller; andwherein the microcontroller is to use the network stack and the remote debugger program to provide the information about the produced event to a device external to the SoC.2. The SoC of claim 1 , wherein the IP block is a processor.3. The SoC of claim 1 , wherein the fabric is a sideband fabric.4. The SoC of claim 1 , wherein the IP block comprises:a virtual test access port (vTAP); and a hardware processing module; and', 'a register., 'a functional pipeline comprising5. The SoC of claim 4 , wherein the vTAP comprises:a slave interface coupled to the fabric;a master interface coupled to the fabric and to the functional pipeline; anda decoder coupled to the slave interface and to the functional pipeline; receive a command from the microcontroller via the fabric; and', 'transfer the command to the decoder;, 'wherein the slave interface is to decode the command; and', 'transfer the decoded command to the functional pipeline;, 'wherein the decoder is to execute the decoded command using the hardware processing module; and', 'update the register in response to the execution of the decoded command; and, ' ...

Подробнее
Номер записи: 13
20-02-2018 дата публикации

Computing platform security methods and apparatus

Номер: US0009898340B2
Автор: Paritosh Saxena, Adrian M. M. T. Dunbar, Michael S. Hughes, John Teddy, David Michael Durham, Balaji Vembu, Prashant Dewan, Debra Cablao, Nicholas D. Triantafillou, Jason M. Surprise, SAXENA PARITOSH, DUNBAR ADRIAN M M T, HUGHES MICHAEL S, TEDDY JOHN, DURHAM DAVID MICHAEL, VEMBU BALAJI, DEWAN PRASHANT, CABLAO DEBRA, TRIANTAFILLOU NICHOLAS D, SURPRISE JASON M, Saxena Paritosh, Dunbar Adrian M. M. T., Hughes Michael S., Teddy John, Durham David Michael, Vembu Balaji, Dewan Prashant, Cablao Debra, Triantafillou Nicholas D., Surprise Jason M.
Принадлежит: MCAFEE, INC., MCAFEE INC, McAfee Inc.

Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution.

Подробнее
Номер записи: 14
20-12-2016 дата публикации

Partitioning access to system resources

Номер: US0009525555B2
Автор: Prashant Dewan, Kapil Sood, Kumar N. Dwarakanath, Ioannis T. Schoinas, William A. Stevens, Jr., Ned M. Smith, DEWAN PRASHANT, SOOD KAPIL, DWARAKANATH KUMAR N, SCHOINAS IOANNIS T, STEVENS JR WILLIAM A, SMITH NED M, Dewan Prashant, Sood Kapil, Dwarakanath Kumar N., Schoinas Ioannis T., Stevens, Jr. William A., Smith Ned M.
Принадлежит: Intel Corporation, INTEL CORP

In one embodiment, a processor has at least one core to execute instructions, a security engine coupled to the at least one core, a first storage to store a first immutable key associated with a vendor of the processor, and a second storage to store a second immutable key associated with an original equipment manufacturer (OEM) of the system. A first portion of firmware is to be verified based at least in part on the first immutable key and a second portion of firmware is to be verified based at least in part on the second immutable key, the first portion of firmware associated with the vendor and the second portion of firmware associated with the OEM. Other embodiments are described and claimed.

Подробнее
Номер записи: 15
15-12-2016 дата публикации

TECHNOLOGIES FOR MULTI-FACTOR SECURITY ANALYSIS AND RUNTIME CONTROL

Номер: US20160364566A1
Автор: Hong Li, Prashant Dewan, LI HONG, DEWAN PRASHANT, Li Hong, Dewan Prashant
Принадлежит: Intel Corp

Technologies for client-level web application runtime control and multi-factor security analysis by a computing device include receiving application code associated with a browser-based application from a web server. The computing device collects real-time data generated by at least one sensor of the computing device and performs a multi-factor security assessment of the browser-based application as a function of the collected real-time data and the application code. Further, the computing device establishes a client-level web application runtime security policy associated with the browser-based application in response to performing the multi-factor security assessment and enforces the client-level web application runtime security policy.

Подробнее
Номер записи: 16
16-05-2017 дата публикации

Symmetric key distribution framework for the Internet

Номер: US0009654453B2
Автор: Divya Naidu Kolar Sunder, Prashant Dewan, Men Long, KOLAR SUNDER DIVYA NAIDU, DEWAN PRASHANT, LONG MEN, Kolar Sunder Divya Naidu, Dewan Prashant, Long Men
Принадлежит: Intel Corporation, INTEL CORP

A method, device, and system are disclosed. In one embodiment the method includes receiving measured health information from a client on a key distribution server. Once the measured health information is received the server is capable of validating the measured health information to see if it is authentic. The server is also capable of sending a session key to the client when the measured health information is validated. When the client receives the session key, the client is capable of initiating an encrypted and authenticated connection with an application server in the domain using the session key.

Подробнее
Номер записи: 17
22-08-2012 дата публикации

End-to-end network security with traffic visibility

Номер: CN102647431A
Автор: Long Men, Walker Jesse, Durham David, Millier Marc, Grewal Karanvir, Dewan Prashant, Savagaonkar Uday, Williams Steven D.
Принадлежит:

End-to-end security between clients and a server, and traffic visibility to intermediate network devices, achieved through combined mode, single pass encryption and authentication using two keys is disclosed. In various embodiments, a combined encryption-authentication unit includes a cipher unit and an authentication unit coupled in parallel to the cipher unit, and generates an authentication tag using an authentication key in parallel with the generation of the cipher text using an encryption key, where the authentication and encryption key have different key values. In various embodiments, the cipher unit operates in AES counter mode, and the authentication unit operates in parallel, in AES-GMAC mode Using a two key, single pass combined mode algorithm preserves network performance using a limited number of HW gates, while allowing an intermediate device access to the encryption key for deciphering the data, without providing that device the ability to compromise data integrity, which ...

Подробнее
Номер записи: 18
10-10-2017 дата публикации

Techniques for enforcing a depth order policy for graphics in a display scene

Номер: US0009786205B2
Автор: Prashant Dewan, Uttam Sengupta, Uday R. Savagaonkar, Siddhartha Chhabra, David Durham, Xiaozhu Kang, DEWAN PRASHANT, SENGUPTA UTTAM, SAVAGAONKAR UDAY R, CHHABRA SIDDHARTHA, DURHAM DAVID, KANG XIAOZHU, Dewan Prashant, Sengupta Uttam, Savagaonkar Uday R., Chhabra Siddhartha, Durham David, Kang Xiaozhu
Принадлежит: INTEL CORPORATION, INTEL CORP

Various embodiments are generally directed an apparatus and method for processing an encrypted graphic with a decryption key associated with a depth order policy including a depth position of a display scene, generating a graphic from the encrypted graphic when the encrypted graphic is successfully decrypted using the decryption key and assigning the graphic to a plane at the depth position of the display scene when the encrypted graphic is successfully decrypted.

Подробнее
Номер записи: 19
16-05-2017 дата публикации

Entry/exit architecture for protected device modules

Номер: US0009652609B2
Автор: Xiaozhu Kang, Alpa T. Narendra Trivedi, Siddhartha Chhabra, Prashant Dewan, Uday R. Savagaonkar, David M. Durham, KANG XIAOZHU, NARENDRA TRIVEDI ALPA T, CHHABRA SIDDHARTHA, DEWAN PRASHANT, SAVAGAONKAR UDAY R, DURHAM DAVID M, Kang Xiaozhu, Narendra Trivedi Alpa T., Chhabra Siddhartha, Dewan Prashant, Savagaonkar Uday R., Durham David M.
Принадлежит: Intel Corporation, INTEL CORP

The entry/exit architecture may be a critical component of a protection framework using a secure enclaves-like trust framework for coprocessors. The entry/exit architecture describes steps that may be used to switch securely into a trusted execution environment (entry architecture) and out of the trusted execution environment (exit architecture), at the same time preventing any secure information from leaking to an untrusted environment.

Подробнее
Номер записи: 20
24-10-2017 дата публикации

Secure rendering of display surfaces

Номер: US0009799093B2
Автор: Siddhartha Chhabra, Uday R. Savagaonkar, Prashant Dewan, Michael A. Goldsmith, David M. Durham, CHHABRA SIDDHARTHA, SAVAGAONKAR UDAY R, DEWAN PRASHANT, GOLDSMITH MICHAEL A, DURHAM DAVID M, Chhabra Siddhartha, Savagaonkar Uday R., Dewan Prashant, Goldsmith Michael A., Durham David M.
Принадлежит: Intel Corporation, INTEL CORP

A protected graphics module can send its output to a display engine securely. Secure communications with the display can provide a level of confidentiality of content generated by protected graphics modules against software and hardware attacks.

Подробнее
Номер записи: 21
03-07-2014 дата публикации

APPARATUS AND METHOD FOR PAGE WALK EXTENSION FOR ENHANCED SECURITY CHECKS

Номер: US20140189274A1
Автор: Gur Hildesheim, Ittai Anati, Hisham Shafi, Shlomo Raikin, Gideon Gerzon, Uday R Savagaonkar, Carlos V Rozas, Francis X McKeen, Michael A Goldsmith, Dewan Prashant, HILDESHEIM GUR, ANATI ITTAI, SHAFI HISHAM, RAIKIN SHLOMO, GERZON GIDEON, SAVAGAONKAR UDAY R, ROZAS CARLOS V, MCKEEN FRANCIS X, GOLDSMITH MICHAEL A, PRASHANT DEWAN
Принадлежит:

An apparatus and method for managing a protection table by a processor. For example, a processor according to one embodiment of the invention comprises: protection table management logic to manage a protection table, the protection table having an entry for each protected page or each group of protected pages in memory; wherein the protection table management logic prevents direct access to the protection table by user application program code and operating system program code but permits direct access by the processor. 1. A processor comprising:protection table management logic to manage a protection table, the protection table having an entry for each protected page or each group of protected pages in memory;wherein the protection table management logic prevents direct access to the protection table by user application program code and operating system program code but permits direct access by the processor.2. The processor as in further comprising:a base address register to store a base address of the protection table.3. The processor as in wherein a protection table entry is identified by combining the base address with an offset claim 2 , wherein the offset is a function of a physical address (PA) of a protected page with which the protection table entry is associated.4. The processor as in further comprising:a page miss handler (PMH) to manage page walk operations for accessing the protection table from memory.5. The processor as in further comprising:a translation lookaside buffer (TLB) for storing at least a portion of a protection table entry after the entry has been accessed from memory.6. The processor as in wherein the TLB further stores a virtual to physical address mapping associated with the protection table entry.7. The processor as in wherein the permissions indicate that a particular page cannot be accessed in a certain manner claim 1 , wherein the page management logic prevents a process from accessing the page in the certain manner upon reading ...

Подробнее
Номер записи: 22
12-10-2017 дата публикации

COMPUTING PLATFORM SECURITY METHODS AND APPARATUS

Номер: US20170293758A1
Автор: Paritosh Saxena, Adrian M.M.T. Dunbar, Michael S. Hughes, John Teddy, David Michael Durham, Balaji Vembu, Prashant Dewan, Debra Cablao, Nicholas D. Triantafillou, Jason M. Surprise, SAXENA PARITOSH, DUNBAR ADRIAN M M T, HUGHES MICHAEL S, TEDDY JOHN, DURHAM DAVID MICHAEL, VEMBU BALAJI, DEWAN PRASHANT, CABLAO DEBRA, TRIANTAFILLOU NICHOLAS D, SURPRISE JASON M, Saxena Paritosh, Dunbar Adrian M.M.T., Hughes Michael S., Teddy John, Durham David Michael, Vembu Balaji, Dewan Prashant, Cablao Debra, Triantafillou Nicholas D., Surprise Jason M.
Принадлежит:

Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution. 1. (canceled)2. An apparatus to reduce malware effects on an external computing platform , the apparatus comprising:a security application to identify a first malicious element in response to a scan of a local computing platform; and retrieve a first indication of the first malicious element on the local computing platform; and', 'reduce malware effects of the first malicious element on an external computing platform by conveying first data associated with the first indication of the first malicious element to the external computing platform., 'a reporter to3. The apparatus as defined in claim 2 , wherein the reporter is to include traffic pattern information as the first data associated with the first indication of the first malicious element.4. The apparatus as defined in claim 2 , wherein the external computing platform includes at least one of an endpoint device claim 2 , a server or a network aggregator.5. The apparatus as defined in claim 2 , wherein the reporter is to convey a target memory type of the first malicious element to the external computing platform.6. The apparatus as defined in claim 2 , further including a receiver to retrieve second data associated with a second indication of a second malicious element occurring on the external computing platform.7. The apparatus as defined in claim 6 , wherein the receiver is to retrieve a target computing process associated with the ...

Подробнее
Номер записи: 23
03-10-2017 дата публикации

Differentiated containerization and execution of web content based on trust level and other attributes

Номер: US0009781118B2
Автор: Hong C. Li, John B. Vicente, Prashant Dewan, LI HONG C, VICENTE JOHN B, DEWAN PRASHANT, Li Hong C., Vicente John B., Dewan Prashant
Принадлежит: Intel Corporation, INTEL CORP

Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Подробнее
Номер записи: 24
05-10-2017 дата публикации

COMPUTING PLATFORM SECURITY METHODS AND APPARATUS

Номер: US20170286172A1
Автор: Paritosh Saxena, Adrian M.M.T. Dunbar, Michael S. Hughes, John Teddy, David Michael Durham, Balaji Vembu, Prashant Dewan, Debra Cablao, Nicholas D. Triantafillou, Jason M. Surprise, SAXENA PARITOSH, DUNBAR ADRIAN M M T, HUGHES MICHAEL S, TEDDY JOHN, DURHAM DAVID MICHAEL, VEMBU BALAJI, DEWAN PRASHANT, CABLAO DEBRA, TRIANTAFILLOU NICHOLAS D, SURPRISE JASON M, Saxena Paritosh, Dunbar Adrian M.M.T., Hughes Michael S., Teddy John, Durham David Michael, Vembu Balaji, Dewan Prashant, Cablao Debra, Triantafillou Nicholas D., Surprise Jason M.
Принадлежит:

Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution. 1. An apparatus to initiate a security action , the apparatus comprising:a dispatcher to receive a task to be executed on a graphics processing unit from a consumer of the graphics processing unit;a notifier to provide status information associated with the task to the consumer of the graphics processing unit, wherein the status information includes an indication of whether the task is preempted; anda trigger event analyzer to initiate a security action by the consumer based on the indication.2. The apparatus as defined in claim 1 , wherein the notifier is to provide the status information to the consumer of the graphics processing unit at a privilege level associated with trusted components.3. The apparatus as defined in claim 1 , further including a scheduler to obtain the status information and to obtain a change in the status information.4. The apparatus as defined in claim 1 , wherein the status information provided by the notifier includes an identifier of a process that preempted the task.5. The apparatus as defined in claim 4 , further including a security application to receive the status information and to use the status information to evaluate the process that preempted the task.6. The apparatus as defined in claim 1 , wherein the consumer is a security application and the task is a malware detection scan associated with the security application.7. The apparatus as defined in ...

Подробнее
Номер записи: 25
12-04-2012 дата публикации

Method and apparatus for registering agents onto a virtual machine monitor

Номер: US20120090016A1
Автор: Prashant Dewan, Ravi Sahita, Uday Savagaonkar
Принадлежит: Individual

A method for managing an agent includes verifying an integrity of the agent in response to a registration request. Memory protection is provided for the agent dining integrity verification. An indication is generated when registration of the agent has been completed. According to one aspect of the present invention, providing memory protection includes having a virtual machine monitor limit access to the agent. Other embodiments are described and claimed.

Подробнее
Номер записи: 26
19-04-2012 дата публикации

END-TO-END NETWORK SECURITY WITH TRAFFIC VISIBILITY

Номер: US20120096270A1
Автор: Dewan Prashant, Durham David, Grewal Karavir, Long Men, Millier Marc, Savagaonkar Uday, Walker Jesse, WILLIAMS STEVEN D.
Принадлежит:

End-to-end security between clients and a server, and traffic visibility to intermediate network devices, achieved through combined mode, single pass encryption and authentication using two keys is disclosed. In various embodiments, a combined encryption-authentication unit includes a cipher unit and an authentication unit coupled in parallel to the cipher unit, and generates an authentication tag using an authentication key in parallel with the generation of the cipher text using an encryption key, where the authentication and encryption key have different key values. In various embodiments, the cipher unit operates in AES counter mode, and the authentication unit operates in parallel, in AES-GMAC mode Using a two key, single pass combined mode algorithm preserves network performance using a limited number of HW gates, while allowing an intermediate device access to the encryption key for deciphering the data, without providing that device the ability to compromise data integrity, which is preserved between the end to end devices. 112-. (canceled)13. An apparatus comprising:a buffer configured to relay network packets transmitted between clients and servers of a network, each packet having been encrypted and associated with an authentication tag in a single pass by a client or a server using a corresponding set of encryption key and an authentication key of a client-server pair, the encryption and authentication keys having different key values; anda processing unit coupled to the buffer to decipher and inspect one or more of the packets using the corresponding encryption keys, the processing unit, in terms of the encryption and authentication keys, having only the encryption keys.14. The apparatus of wherein the processing unit is further configured to derive the encryption keys. This application relates to the fields of communication and networking, and in particular, to maintaining end-to-end security between clients and a server, while allowing traffic ...

Подробнее
Номер записи: 27
04-10-2012 дата публикации

METHOD AND APPARATUS FOR TRANSPARENTLY INSTRUMENTING AN APPLICATION PROGRAM

Номер: US20120255015A1
Автор: Castelino Manohar R., Dewan Prashant, Durham David M., Sahita Ravi L.
Принадлежит:

Generally, this disclosure describes systems and methods for transparently instrumenting a computer process. The systems and methods are configured to allow instrumenting executable code while permitting legacy memory scanning tools to monitor corresponding uninstrumented executable code stored in memory. 1. A method , comprising:storing at least a portion of an executable application program in a host system physical memory at a first host physical address;instrumenting a copy of said portion of said executable application program and storing said instrumented copy in said host system physical memory at a second host physical address;setting a corresponding access permission to read only for said first host physical address and setting a corresponding access permission to execute only for said second host physical address; andexecuting said instrumented copy or reading said portion of said executable application program based, at least in part, on said access permissions.2. The method of claim 1 , further comprising:generating a page fault in response to an attempt to read said second host physical address or an attempt to execute said portion of said executable application program stored at said first host physical address.3. The method of claim 2 , further comprising:determining a type of said page fault; andupdating an extended page table entry to correspond to said second host physical address if said page fault is an execute fault or to correspond to said first host physical address if said page fault is a read fault.4. The method of claim 1 , wherein a memory scanner is configured to read said portion of said executable application program.5. The method of claim 1 , further comprising:generating a first extended page table associated with said first host physical address and a second extended page table associated with said second host physical address; andinstrumenting a memory scanner with a first instruction, said first instruction configured to select ...

Подробнее
Номер записи: 28
14-03-2013 дата публикации

METHOD AND DEVICE FOR SECURELY SHARING IMAGES ACROSS UNTRUSTED CHANNELS

Номер: US20130067228A1
Автор: Dewan Prashant, Durham David M., Grewal Karanvir S., Kang Xiaozhu
Принадлежит:

A method and device for securely sharing images across untrusted channels includes downloading an encrypted image from a remote server to a computing device. The encrypted image may be encrypted at the time of uploading by another user. The current user of the computing device is authenticated using a facial recognition procedure. If the current user is authenticated and is determined to be authorized to view the decrypted image, the encrypted image is decrypted and displayed to the user. If the user becomes unauthenticated (e.g., the user leaves the computing device or another user replaces the current user), the encrypted image is displayed in place of the encrypted image such that the decrypted image is displayed only for authorized persons physically present at the computing device. 1. A method comprising:downloading an encrypted image and an image of an authorized user to a computing device;receiving an image of a current user of the computing device from a camera communicatively coupled to the computing device;authenticating the current user by performing a facial recognition procedure on the image of the current user using the image of the authorized user to verify that the current user is the authorized user;determining whether the authenticated current user is authorized to view a decrypted image of the encrypted image; andin response to the authenticated current user being authorized to view the decrypted image, (i) decrypting the encrypted image and (ii) displaying the decrypted image on the computing device.2. The method of claim 1 , wherein downloading an encrypted image comprises downloading a webpage including the encrypted image from the remote server using a web browser of the computing device.3. The method of claim 1 , wherein downloading an encrypted image comprises downloading an encrypted image including an encrypted key claim 1 , andwherein determining whether the authenticated current user is authorized to view the decrypted image comprises ...

Подробнее
Номер записи: 29
20-06-2013 дата публикации

METHOD AND APPARATUS TO PROVIDE SECURE APPLICATION EXECUTION

Номер: US20130159726A1
Автор: Altman Asher, Brickell Ernie, Cihula Joseph, Dewan Prashant, Durham David, Garney John, Goldsmith Michael A., Graunke Gary, Herbert Howard C., Jeyasingh Stalinselvaraj, Johnson Simon P., Li Jiang Tao, Lint Bernard, MCKEEN FRANCIS X., Neiger Gilbert, Rodgers Dion, Rozas Carlos V., Savagaonkar Uday R., Scarlata Vincent, Tolopka Stephen J., Van Doren Stephen R., Van Dyke Don A.
Принадлежит:

A technique to enable secure application and data integrity within a computer system. In one embodiment, one or more secure enclaves are established in which an application and data may be stored and executed. 1. A processor comprising:execution logic to perform at least a first instruction to move protected data between an enclave page cache (EPC) and a second storage area during execution of a program accessing the protected data, wherein the program is to run in a protected mode.2. The processor of claim 1 , wherein a security map (SMAP) is to help ensure the integrity of the program when the program is stored in a hard disk drive or protected memory.3. A processor comprising:execution logic to perform a first instruction to identify a software thread running in a secure enclave, wherein the first instruction is to inform a user's program of the identity of the software thread.4. A processor comprising:execution logic to perform at least a first instruction to dynamically access at least one information field to determine the integrity of data stored in the secure enclave, wherein the at least one information field includes a secure map (SMAP) field and a security information (SEC_INFO) field.5. A processor comprising:execution logic to perform a first instruction to report the state of a secure enclave stored in memory to either a local or remote agent.6. A processor comprising:a crypto memory aperture (CMA) to protect software program against attacks when the software program is executing; and a secure map (SMAP) to protect the software program when the software program is not executing.7. A processor comprising:execution logic to perform at least one secure enclave access instruction to allocate or de-allocate memory or software threads inside a secure enclave.8. A processor comprising:a hierarchical protection tree, SMAP, to enable multiple memory updates within a secure enclave in a single processor cycle.9. A processor comprising:execution logic to perform ...

Подробнее
Номер записи: 30
01-08-2013 дата публикации

METHOD AND APPARATUS TO PROVIDE SECURE APPLICATION EXECUTION

Номер: US20130198853A1
Автор: Altman Asher, Brickell Ernie, Cihula Joseph, Dewan Prashant, Durham David, Garney John, Goldsmith Michael A., Graunke Gary, Herbert Howard C., Jeyasingh Stalinselvaraj, Johnson Simon P., Li Jiang Tao, Lint Bernard, MCKEEN FRANCIS X., Neiger Gilbert, Rodgers Dion, Rozas Carlos V., Savagaonkar Uday R., Scarlata Vincent, Tolopka Stephen J., Van Doren Stephen R., Van Dyke Don A.
Принадлежит:

A technique to enable secure application and data integrity within a computer system. In one embodiment, one or more secure enclaves are established in which an application and data may be stored and executed. 1. A processor comprising:execution logic to perform at least a first instruction to move protected data between an enclave page cache (EPC) and a second storage area during execution of a program accessing the protected data, wherein the program is to run in a protected mode.2. The processor of claim 1 , wherein a security map (SMAP) is to help ensure the integrity of the program when the program is stored in a hard disk drive or protected memory.3. A processor comprising:execution logic to perform a first instruction to identify a software thread running in a secure enclave, wherein the first instruction is to inform a user's program of the identity of the software thread.4. A processor comprising:execution logic to perform at least a first instruction to dynamically access at least one information field to determine the integrity of data stored in the secure enclave, wherein the at least one information field includes a secure map (SMAP) field and a security information (SEC_INFO) field.515-. (canceled) This patent application is a continuation-in-part of and claims priority to International Application No. PCT/US2009/069212, filed Dec. 22, 2009, entitled METHOD AND APPARATUS TO PROVIDE SECURE APPLICATION EXECUTION.Embodiments of the invention relate generally to the field of information processing and more specifically, to the field of security in computing systems and microprocessors.Securing execution and integrity of applications and their data within a computer system is of growing importance. Some prior art security techniques fail to adequately secure applications and data in a flexible but reliable manner.Embodiments of the invention pertain to a technique for providing secure application and data in a flexible but reliable manner. Although there ...

Подробнее
Номер записи: 31
24-10-2013 дата публикации

PRESERVING IMAGE PRIVACY WHEN MANIPULATED BY CLOUD SERVICES

Номер: US20130279690A1
Автор: Dewan Prashant, Durham David M., Grewal Karanvir S., Kang Xiaozhu, Long Men
Принадлежит:

An apparatus and method for preserving image privacy when manipulated by cloud services includes middleware for receiving an original image, splitting the original image into two sub-images, where the RGB pixel values of the sub-images have a bit value that is less than RGB pixel values of the original image. The sub-images are encrypted by adding a keystream to the RGB pixel values of the sub-images. The sub-image data is transmitted to a cloud service such as a social network or photo-sharing site, which manipulate the images by resizing, cropping, filtering, or the like. The sub-image data is received by the middleware and is successfully decrypted irrespective of the manipulations performed by the cloud services. In an alternative embodiment, the blocks of the original image are permutated when encrypted, and then reverse-permutated when decrypted. 1. A method for preserving image privacy , comprising:receiving an original image;splitting the original image into first and second sub-images;for each of a plurality of pixel values of the first sub-image, adding a corresponding keystream value selected from a plurality of keystream values;producing a first encrypted sub-image;for each of a plurality of pixel values of the second sub-image, adding a corresponding keystream value selected from the plurality of keystream values; andproducing a second encrypted sub-image.2. The method of claim 1 , wherein the pixel values are Red/Green/Blue (RGB) pixel values claim 1 , and wherein splitting further comprises:determining an RGB pixel value for each of a plurality of pixels of the original image;dividing each RUB pixel value of the original image into a first split RGB pixel value and a second split RUB pixel value;associating each of the first split RGB pixel values with a corresponding RGB pixel value of the first sub-image; andassociating each of the second split RUB pixel values with a corresponding RGB pixel value of the second sub-image.3. The method of claim 1 , ...

Подробнее
Номер записи: 32
07-11-2013 дата публикации

Copy Equivalent Protection Using Secure Page Flipping For Software Components Within An Execution Environment

Номер: US20130298120A1
Автор: Dewan Prashant, Durham David
Принадлежит:

Embodiments of copy equivalent protection using secure page flipping for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor (VMM), Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. In an embodiment, an embedded VM is allowed to directly manipulate page table mappings so that, even without running the VMM or obtaining VMXRoot privilege, the embedded VM can directly flip pages of memory into its direct/exclusive control and back. Other embodiments may be described and claimed. 1. A system , comprising:an embedded virtual machine (VM); anda guest VM,wherein both the embedded VM and the guest VM have mappings for a physical page table in memory,wherein the embedded VM has equal or better permissions to the physical page table than the guest VM, andwherein the embedded VM is configured to flip permissions on one or more pages in the physical page table for the guest VM such that the permissions are flipped from ‘read and write’ to ‘read-only’.2. The system of claim 1 , wherein the embedded VM has exclusive control to the physical page table once the permissions are flipped for the guest VM.3. The system of claim 1 , wherein the exclusive control of the embedded VM to the physical page table occurs without invoking a virtual machine monitor (VMM).4. At least one storage medium having instructions stored thereon for causing an embedded virtual machine (VM) to:flip permissions on one or more pages in a physical page table for a guest VM such that the permissions are flipped from ‘read and write’ to ‘read-only’;wherein both the embedded VM and a guest VM have mappings for the physical page table in memory; andwherein the embedded VM has equal or better permissions to the ...

Подробнее
Номер записи: 33
21-11-2013 дата публикации

SYMMETRIC KEY DISTRIBUTION FRAMEWORK FOR THE INTERNET

Номер: US20130311777A1
Автор: Dewan Prashant, Kolar Sundar Divya Naidu, Long Men
Принадлежит:

A method, device, and system are disclosed. In one embodiment the method includes receiving measured health information from a client on a key distribution server. Once the measured health information is received the server is capable of validating the measured health information to see if it is authentic. The server is also capable of sending a session key to the client when the measured health information is validated. When the client receives the session key, the client is capable of initiating an encrypted and authenticated connection with an application server in the domain using the session key. 1. A key distribution server to generate a session key to secure communications with an application server , the key distribution server comprising: receive health information generated by a client device requesting access to an application server, the health information describes the health of the client device based on a client health policy required to access the application server;', 'validate the health of the client device via the received health information;', 'provide the client device with a session key for secure interaction with the application server in response to validation of the health of the client device; and', 'provide the application server with a master key that corresponds to the session key, the master key is one of a plurality of unique master keys, each unique master key is provided for each particular session key., 'key distribution server logic to2. The key distribution server of claim 1 , wherein the key distribution server logic is further to determine whether the health of the client device meets the client health policy required to access the application server.3. The key distribution server of claim 2 , wherein the key distribution server logic is further to:generate the master key in response to a determination that the health of the client device meets the client health policy required to access the application server; andgenerate the ...

Подробнее
Номер записи: 34
02-01-2014 дата публикации

VIRTUAL MEMORY ADDRESS RANGE REGISTER

Номер: US20140006746A1
Автор: Anati Ittai, Dewan Prashant, Gerzon Gideon, Goldsmith Michael, HILDESHEIM Gur, McKeen Francis, Raikin Shlomo, Rozas Carlos, Savagaonkar Uday
Принадлежит:

Embodiments of apparatuses and methods including virtual address memory range registers are disclosed. In one embodiment, a processor includes a memory interface, address translation hardware, and virtual memory address comparison hardware. The memory interface is to access a system memory using a physical memory address. The address translation hardware is to support translation of a virtual memory address to the physical memory address. The virtual memory address is used by software to access a virtual memory location in the virtual memory address space of the processor. The virtual memory address comparison hardware is to determine whether the virtual memory address is within a virtual memory address range. 1. A processor comprising:a memory interface to access a system memory using a physical memory address;address translation hardware to support translation of a virtualmemory address to the physical memory address, the virtual memory address used by software to access a virtual memory location in a virtual memory address space of the processor; andvirtual memory address comparison hardware to determine whether the virtual memory address is within a virtual memory address range.2. The processor of claim 1 , further comprising a virtual memory address range register to store a virtual memory base address of the virtual memory address range.3. The processor of claim 2 , further comprising a physical memory address range register to store a physical memory base address of a physical memory address range.4. The processor of claim 3 , further comprising physical memory address comparison hardware to determine whether the physical memory address is within the physical memory address range.5. The processor of claim 4 , further comprising a mask register to store a mask value.6. The processor of claim 5 , further comprising a first AND circuit to generate a current virtual memory address range value based on the virtual memory address and the mask value.7. The processor ...

Подробнее
Номер записи: 35
30-01-2014 дата публикации

MEDIA ENCRYPTION BASED ON BIOMETRIC DATA

Номер: US20140032924A1
Автор: Dewan Prashant, Durham David M., Grewal Karanvir S., Kang Xiaozhu, Long Men
Принадлежит:

Embodiments of techniques and systems for biometric-data-based media encryption are described. In embodiments, an encryption key may be created for a recipient user based at least in part on biometric data of the recipient user. This encryption key may be maintained on a key maintenance component and used by a sharing user to encrypt a media file for access by the recipient user. One or more access policies associated with recipient user may be encrypted in the encrypted media file as well. In embodiments, the media file may be encrypted for use by multiple recipient users. When a recipient user desires to access the encrypted media file, a decryption key may be generated in real time based on contemporaneously captured biometric data and used to provide access to the encrypted media file. Other embodiments may be described and claimed. 1. One or more non-transitory computer-readable media comprising instructions stored thereon that are configured to cause a computing device , in response to execution of the instructions by the computing device , to:receive a request for a decryption key to decrypt an encrypted media file, wherein the request is generated in response to a user's request to access the encrypted media file, and wherein the media file is encrypted using a public key of a public-private key pair generated based on previously provided biometric data of the user; andgenerate, in response to the request, the decryption key based at least in part on real-time contemporaneously captured biometric data of the user, wherein data about the private key of the public-private key pair is not available to the computing device; andprovide the decryption key for use to decrypt the encrypted media file.2. The one or more non-transitory computer readable media of claim 1 , wherein the instructions are further configured to cause the computer device claim 1 , in response to execution claim 1 , to decrypt the encrypted media file using the provided decryption key.3. The ...

Подробнее
Номер записи: 36
06-02-2014 дата публикации

HARDWARE ENFORCED MEMORY ACCESS PERMISSIONS

Номер: US20140041033A1
Автор: Dewan Prashant, Durham David M., Sahita Ravi L.
Принадлежит:

Embodiments of apparatuses and methods for hardware enforced memory access permissions are disclosed. In one embodiment, a processor includes address translation hardware and memory access hardware. The address translation hardware is to support translation of a first address, used by software to access a memory, to a second address, used by the processor to access the memory. The memory access hardware is to detect an access permission violation. 1. A processor comprising: 'wherein the first address is used by software to access a memory and the second address is used by the processor to access the memory; and', 'address translation hardware to support translation of a first address to a second address,'}memory access control hardware to detect an access permission violation.2. The processor of claim 1 , wherein the memory access control hardware is to refer to a permissions map to detect an access permission violation.3. The processor of claim 2 , wherein the memory access control hardware is to check access permissions for the second address in the permissions map.4. The processor of claim 2 , wherein the access control hardware is to compare the first address with a third address associated with the second address in the permissions map claim 2 , where the third address is expected to be translated to the second address by address translation hardware.5. The processor of claim 1 , wherein the memory access control hardware is to respond to the access permission violation by invoking microcode to collect information regarding the attempted access.6. A method comprising:translating, by address translation hardware in a processor, a first address to a second address, where the first address is used by software to access a memory and the second address is used by the processor to access a memory; anddetecting, by memory access control hardware in the processor, an access permission violation.7. The method of claim 6 , further comprising creating claim 6 , by ...

Подробнее
Номер записи: 37
13-02-2014 дата публикации

Methods and systems for cryptographic access control of video

Номер: US20140044258A1
Автор: David Durham, Karanvir S. Grewal, Men Long, Prashant Dewan, Xiaozhu Kang
Принадлежит: Intel Corp

Methods and systems for cryptographic access control of multimedia video, include embedding as metadata access control policy (ACP) information, including authorization rules and cryptographic information tied to an encryption policy, into encrypted video. An authorized receiver device having credentials and/or capabilities matched to the authorization rules is able to extract the ACP information from the encrypted video and use it to decrypt and properly render the video.

Подробнее
Номер записи: 38
03-04-2014 дата публикации

DEVICE, METHOD, AND SYSTEM FOR CONTROLLING ACCESS TO WEB OBJECTS OF A WEBPAGE OR WEB-BROWSER APPLICATION

Номер: US20140095870A1
Автор: Dewan Prashant, Durham David M.
Принадлежит:

A method and device for securely displaying web content with secure web objects across untrusted channels includes downloading web content from a web server. The web content includes tags that a web browser uses to authenticate the current user and identify encrypted web objects packaged in the web content. The computing device authenticates the current user using a biometric recognition procedure. If the current user is authenticated and determined to be authorized to view the decrypted web object, the encrypted web object is decrypted and displayed to the user. If the user is unauthenticated, the encrypted web object is displayed in place of the encrypted web object such that the decrypted web object is displayed for only authorized persons physically present at the computing device. The biometric recognition procedure and web object decryption processes are protected through secure media path circuitry and secure memory. 1. A computing device for securely displaying web content , the computing device comprising:a security module to detect a user authentication tag and a secure web object tag in the web content, the user authentication tag to identify biometric authentication data and the secure web object tag to identify an encrypted web object;a biometric recognition module to (i) receive biometric data from a current user of the computing device and (ii) authenticate the current user of the computing device as a function of the received biometric data and the biometric authentication data; anda cryptographic module to, in response to the user being authenticated, (i) decrypt an encrypted symmetric key packaged in association with the encrypted web object and (ii) decrypt the encrypted web object using the decrypted symmetric key,wherein the decrypted web object is displayed to the current user on a display of the computing device.2. The computing device of claim 1 , wherein the biometric recognition module comprises a processor graphics circuitry.3. The ...

Подробнее
Номер записи: 39
03-04-2014 дата публикации

DEVICE AND METHOD FOR SECURE USER INTERFACE GESTURE PROCESSING USING PROCESSOR GRAPHICS

Номер: US20140096068A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David M., Goldsmith Michael A., Kang Xiaozhu, Li Xiaoning, Martin Jason, Savagaonkar Uday R., Schmitz Paul S.
Принадлежит:

A device and method for securely rendering content on a gesture-enabled computing device includes initializing a secure execution environment on a processor graphics of the computing device. The computing device transfers view rendering code and associated state data to the secure execution environment. An initial view of the content is rendered by executing the view rendering code in the secure execution environment. A gesture is recognized, and an updated view of the content is rendered in the secure execution environment in response to the gesture. The gesture may include a touch gesture recognized on a touch screen, or a physical gesture of the user recognized by a camera. After the updated view of the content is rendered, the main processor of the computing device may receive updated view data from the secure execution environment. 1. A computing device to securely render content , the computing device comprising:a processor graphics to render content for display on a display;a gesture recognition module to detect a user interface gesture as a function of input data generated by an input device in response to an input received from a user of the computing device;a secure execution environment management module to (i) initialize a secure execution environment on the processor graphics and (ii) transfer view rendering code and associated state data to the secure execution environment; and execute the view rendering code to render an initial view of the content on the display; and', 'render an updated view of the content as a function of the detected user interface gesture, using the view rendering code, to display the updated view of the content on the display., 'a rendering module established in the secure execution environment of the processor graphics, the rendering module to2. The computing device of claim 1 , wherein the secure execution environment of the processor graphics comprises the gesture recognition module.3. The computing device of claim 1 , ...

Подробнее
Номер записи: 40
14-01-2016 дата публикации

Secure Rendering of Display Surfaces

Номер: US20160012565A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David M., Goldsmith Michael A., Savagaonkar Uday R.
Принадлежит:

A protected graphics module can send its output to a display engine securely. Secure communications with the display can provide a level of confidentiality of content generated by protected graphics modules against software and hardware attacks. 1. A method comprising:sending an output from a protected graphics module in a graphics processing unit to a display engine, said module to assert correctness of execution to a remote party, and said module only executable on said graphics processing unit; andenabling the display engine to enter the protected graphics module.2. The method of including linking a display surface to a secure surface binding table.3. The method of including blocking reads from the display surface.4. The method of including encrypting writes to the display surface using a key associated with the current display context.5. The method of including using a protected graphics entry surface to display a surface.6. The method of including enabling a display engine to enter a protected graphics module.7. The method of including using the protected graphics entry surface to provide a way to access the surface.8. The method of including providing a way to access the surface residing in an enclave page cache.9. The method of including providing a way to access the surface in the enclave page cache using the protected graphics entry structure.10. The method of including decrementing an expiry counter in the protected graphics entry structure on a refresh cycle.11. One or more non-transitory computer readable media storing instructions executed by a processor to perform a sequence comprising:sending an output from a protected graphics module in a graphics processing unit to a display engine, said module to assert correctness of execution to a remote party, and said module only executable on said graphics processing unit; andenabling the display engine to enter the protected graphics module.12. The media of claim 11 , said sequence including linking a display ...

Подробнее
Номер записи: 41
03-02-2022 дата публикации

CRYPTOGRAPHIC PROTECTION OF MEMORY ATTACHED OVER INTERCONNECTS

Номер: US20220035749A1
Автор: Chhabra Siddhartha, Dewan Prashant
Принадлежит: Intel Corporation

Methods and apparatus relating to cryptographic protection of memory attached over interconnects are described. In an embodiment, memory stores data and a processor having execution circuitry executes an instruction to program an inline memory expansion logic and a host memory encryption logic with one or more cryptographic keys. The inline memory expansion logic encrypts the data to be written to the memory and decrypts encrypted data to be read from the memory. The memory is coupled to the processor via an interconnect endpoint of a system fabric. Other embodiments are also disclosed and claimed. 1. An apparatus comprising:a system fabric to couple interconnect attached non-volatile memory and volatile memory to a processor; andan inline memory expansion logic, coupled to an interconnect endpoint of the system fabric, to encrypt data to be written to the interconnect attached non-volatile memory and to decrypt encrypted data to be read from the interconnect attached non-volatile memory, wherein the interconnect endpoint is to operate in accordance with Compute Express Link™ (CXL™) protocol.2. The apparatus of claim 1 , wherein the interconnect attached non-volatile memory is to be accessed in block mode or direct access mode.3. The apparatus of claim 1 , comprising host memory encryption logic is to encrypt data to be written to the volatile memory and to decrypt encrypted data to be read from the volatile memory.4. The apparatus of claim 1 , wherein the interconnect attached non-volatile memory and the volatile memory are to be accessible as a single system main memory by the processor.5. The apparatus of claim 1 , wherein the interconnect attached non-volatile memory is a far memory in a two level memory system and the volatile memory is a near memory in the two level memory system.6. The apparatus of claim 1 , wherein one or more of the processor claim 1 , the interconnect attached non-volatile memory claim 1 , inline memory expansion logic claim 1 , the ...

Подробнее
Номер записи: 42
18-01-2018 дата публикации

System, Apparatus And Method For Secure Monotonic Counter Operations In A Processor

Номер: US20180018288A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David M., Grewal Karanvir S., Narendra Trivedi Alpa T.
Принадлежит:

In one embodiment, an apparatus includes: at least one core to execute instructions, the at least one core formed on a semiconductor die; a first memory formed on the semiconductor die, the first memory comprising a non-volatile random access memory, the first memory to store a first entry to be a monotonic counter, the first entry including a value field and a status field; and a control circuit, wherein the control circuit is to enable access to the first entry if the apparatus is in a secure mode and otherwise prevent the access to the first entry. Other embodiments are described and claimed. 1. An apparatus comprising:at least one core to execute instructions, the at least one core formed on a semiconductor die;a first memory formed on the semiconductor die, the first memory comprising a non-volatile random access memory, the first memory to store a first entry to be a monotonic counter, the first entry including a value field and a status field; anda control circuit, wherein the control circuit is to enable access to the first entry if the apparatus is in a secure mode and otherwise prevent the access to the first entry.2. The apparatus of claim 1 , wherein the control circuit is to update a value stored in the value field responsive to a first user-level monotonic counter instruction.3. The apparatus of claim 2 , wherein the status field comprises a rollover indicator to indicate whether the value stored in the value field has rolled over and a second indicator to indicate whether a backup storage for the monotonic counter is corrupt.4. The apparatus of claim 2 , wherein the control circuit is to cause the value field to he set to a first value received from a second computing system responsive to a second user-level monotonic counter instruction claim 2 , wherein the first value comprises a consumption level for a secure content.5. The apparatus of claim 4 , wherein the apparatus is to prevent access to the secure content if the first value at least meets a ...

Подробнее
Номер записи: 43
03-02-2022 дата публикации

TECHNIQUES TO ENFORCE POLICIES FOR COMPUTING PLATFORM RESOURCES

Номер: US20220038505A1
Автор: Chhabra Siddhartha, Dewan Prashant
Принадлежит: Intel Corporation

Various embodiments are generally directed to techniques to enforce policies for computing platform resources, such as to prevent denial of service (DoS) attacks on the computing platform resources. Some embodiments are particularly directed to ISA instructions that allow trusted software/applications to securely enforce policies on a platform resource/device while allowing untrusted software to control allocation of the platform resource. In many embodiments, the ISA instructions may enable secure communication between a trusted application and a platform resource. In several embodiments, a first ISA instruction implemented by microcode may enable a trusted application to wrap policy information for secure transmission through an untrusted stack. In several such embodiments, a second ISA instruction implemented by microcode may enable untrusted software to verify the validity of the wrapped blobs and program registers associated with the platform resource with policy information provided via the wrapped blobs. 1. An apparatus , comprising:a processor; and receive a plurality of wrapped policy blobs; and', 'send a configuration command to a trusted computing base, the command to cause the trusted computing base to program, based in part on the wrapped policy blobs, one or more policy registers to allow access to platform resources by the untrusted system instructions., 'a memory comprising untrusted system instructions, which when executed by the processor cause the processor to2. The apparatus of claim 1 , wherein the command to further cause the trusted computing base to set a lock bit associated with the platform resource to allow access to the platform resources by the untrusted system instructions.3. The apparatus of claim 2 , the untrusted system instructions claim 2 , when executed by the processor cause the processor to:store at least one of the wrapped policy blobs in a general purpose register accessible by the trusted computing base; andadd an indication ...

Подробнее
Номер записи: 44
07-02-2019 дата публикации

PROCESSOR BASED COMPONENT FIRMWARE UPDATE METHOD AND APPARATUS

Номер: US20190042230A1
Автор: Chhabra Siddhartha, Dewan Prashant, Sengupta Uttam
Принадлежит:

Apparatuses, methods and storage mediums associated with updating firmware of a component of a computer platform, are disclosed herein. In some embodiments, a processor includes an instruction decoder; and a storage having microcode arranged to implement an instruction to verify updates to firmware of a component of a computer platform hosting the processor and the component. The computer platform may include a component firmware update manager. The firmware of a component may include a firmware update plug-in. Other embodiments are also described, and may be claimed. 1. A processor comprising:an instruction decoder; anda storage having microcode arranged to implement an instruction to verify updates to firmware of a component of a computer platform hosting the processor and the component.2. The processor of claim 1 , wherein the microcode is arranged to verify a manifest associated with the updates.3. The processor of claim 2 , wherein the instruction can be dispatched with a virtual address and an identifier of a memory region associated with where the manifest is stored claim 2 , and the computer platform includes a fuse having a verification public key; and wherein the microcode is arranged to access the manifest using the virtual address and the memory region identifier claim 2 , and verify authenticity of the manifest using the verification public key.4. The processor of claim 3 , wherein the verification public key is a selected one of a public key of a manufacturer of the processor or a public key of a manufacturer of the component.5. The processor of claim 3 , wherein the microcode is further arranged to verify the manifest is associated with the component.6. The processor of claim 2 , wherein the instruction can be dispatched with a virtual address and an identifier of a memory region associated with where the updates are stored claim 2 , and the manifest includes a hash of the updates; and wherein the microcode is arranged to verify integrity of the ...

Подробнее
Номер записи: 45
07-02-2019 дата публикации

Technologies For Securing Data Structures For Controlling Virtual Machines

Номер: US20190042296A1
Автор: Chhabra Siddhartha, Dewan Prashant, Sengupta Uttam
Принадлежит:

A data processing system with technology to secure a virtual machine control data structure (VMCDS) comprises random access memory (RAM) and a processor in communication with the RAM. The processor comprises virtualization technology that enables the processor to run a virtual machine monitor (VMM) in the data processing system and to run guest software in a virtual machine (VM) that is managed by the VMM. The VM is based at least in part on a VMCDS for the VM. An instruction decoder in the processor recognizes and dispatches a set-mask instruction. The set-mask instruction specifies access restrictions to be imposed on the VMM with respect to the VMCDS of the VM. The processor also comprises a mask enforcer to automatically enforce the access restrictions specified by the set-mask instruction, in response to an attempt by the VMM to access the VMCDS of the VM. Other embodiments are described and claimed. 1. A processor with technology to secure a virtual machine control data structure , the processor comprising: run a virtual machine monitor (VMM) in the data processing system; and', 'run guest software in the data processing system in a virtual machine (VM) that is managed by the VMM, wherein the VM is based at least in part on a virtual machine control data structure (VMCDS) for the VM;, 'virtualization technology which, when the processor is installed in a data processing system, enables the processor toan instruction decoder to recognize and dispatch a set-mask instruction, wherein the set-mask instruction specifies access restrictions to be imposed on the VMM with respect to the VMCDS of the VM; anda mask enforcer to automatically enforce the access restrictions specified by the set-mask instruction, in response to an attempt by the VMM to access the VMCDS of the VM.2. A processor according to claim 1 , wherein the processor is configured to allow VMs to utilize the set-mask instruction to specify access restrictions to be imposed on the VMM.3. A processor ...

Подробнее
Номер записи: 46
07-02-2019 дата публикации

SECURING DATA DIRECT I/O FOR A SECURE ACCELERATOR INTERFACE

Номер: US20190042477A1
Автор: Basak Abhishek, Chhabra Siddhartha, Dewan Prashant, Durham David M.
Принадлежит: Intel Corporation

The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs). 1. An apparatus , comprising:a plurality of processor cores;cache memory communicatively coupled to one or more of the plurality of processor cores; anddata direct input output (DDIO) circuitry to transfer DDIO data between the cache memory and accelerator circuitry,wherein the DDIO circuitry to encrypt and decrypt the DDIO data for the accelerator circuitry.2. The apparatus of claim 1 , further comprising:memory encryption circuitry to encrypt and decrypt data stored in memory,wherein the DDIO circuitry to transmit encryption requests and decryption requests to the memory encryption circuitry to encrypt and decrypt the DDIO data.3. The apparatus of claim 2 , wherein the DDIO circuitry to identify a keyID of the DDIO data claim 2 , the DDIO circuitry to provide the keyID of the DDIO data to the memory encryption circuitry to encrypt and decrypt the DDIO data.4. The apparatus of claim 3 , wherein the DDIO circuitry to maintain a DDIO key table claim 3 , wherein the DDIO key table to store a plurality of keyIDs and a plurality of statuses for the keyIDs to determine if DDIO data is to be encrypted or decrypted.5. The apparatus of claim 4 , wherein the DDIO key table stores keys associated with each of the plurality ...

Подробнее
Номер записи: 47
07-02-2019 дата публикации

DISPLAY OF PROTECTED CONTENT USING TRUSTED EXECUTION ENVIRONMENT

Номер: US20190042706A1
Автор: Chhabra Siddhartha, Dewan Prashant
Принадлежит: Intel Corporation

The present disclosure is directed to secure processing and display of protected content. The use of a trusted execution environment (TEE) to handle authentication and session key negotiation in accordance with a selected content protection protocol may reduce any trusted computing base (TCB) needed for such operations, and thereby present a smaller target for potential attackers. Techniques are presented in which a session key negotiated via such a TEE is securely provided to output circuitry such as a display controller, which may encrypt protected content that has been requested for viewing on a protocol-compliant display device communicatively coupled to a device comprising the TEE and/or the output circuitry. The output circuitry may then provide the encrypted protected content to the protocol-compliant display device, such as for compliant display of the protected content. 1. A system for secure display of protected content , the system comprising:a trusted execution environment (TEE) to initiate key exchange with an authenticated display device, to determine a session key based on the initiated key exchange, and to provide the session key to a host processor;a host processor provisioned with a licensing constant, the host processor to receive the session key from the TEE, to modify the session key based on the licensing constant, and to provide protected content and the modified session key; anda display controller to receive the modified session key and protected content from the TEE and to encrypt the protected content with the modified session key.2. The system of claim 1 , wherein the display controller is further to provide the encrypted protected content to the authenticated display device.3. The system of claim 1 , wherein the TEE is further to authenticate the display device in accordance with a selected content protection protocol.4. The system of claim 3 , wherein to authenticate the display device in accordance with a selected content protection ...

Подробнее
Номер записи: 48
07-02-2019 дата публикации

ENFORCING SECURE DISPLAY VIEW FOR TRUSTED TRANSACTIONS

Номер: US20190042804A1
Автор: Chhabra Siddhartha, Dewan Prashant, Sengupta Uttam K.
Принадлежит:

In embodiments, an apparatus to enforce secure display view for trusted transactions may include a first input interface to receive from an application, via a trusted execution environment (TEE), viewport size data and an identifier of a display associated with a secure display of a trusted transaction; and a second input interface to receive from the application, via an untrusted execution environment, an encrypted transaction bitmap associated with the trusted transaction, to be securely displayed on the display; and an enforcement engine coupled to the first input interface and the second input interface, to verify that the size and location of the transaction bitmap are within the viewport to ensure the secure display of the transaction bitmap. In embodiments, after verification of the size and location of the transaction bitmap being within the viewport, the transaction bitmap may be displayed. 1. An apparatus to enforce secure display view for trusted transactions , comprising:a first input interface to receive from an application, via a trusted execution environment, viewport size data and an identifier of a display associated with a secure display of a trusted transaction;a second input interface to receive from the application, via an untrusted execution environment, an encrypted transaction bitmap associated with the trusted transaction, to be securely displayed on the display; andan enforcement engine coupled to the first input interface and the second input interface, to verify the size and location of the transaction bitmap are within the viewport to ensure the secure display of the transaction bitmap,wherein the transaction bitmap is displayed, after verification of the size and location of the transaction bitmap being within the viewport.2. The apparatus of claim 1 , wherein to verify the size and location of the transaction bitmap are within the viewport to ensure the secure display of the transaction bitmap claim 1 , the enforcement engine is to: ...

Подробнее
Номер записи: 49
01-05-2014 дата публикации

Allocating Memory Access Control Policies

Номер: US20140123235A1
Автор: Dewan Prashant, Martin Jason, Rozas Carlos V., Savagaonkar Uday R.
Принадлежит:

Enabling access control caches for co-processors to be charged using a VMX-nonroot instruction. As a result a transition to VMX-root is not needed, saving the cycles involved in such a transition. 1. A method comprising:enabling access control contexts to be changed using a VMX-nonroot instruction and without transitioning to the VMX-root2. The method of including setting up access tables with a unique root pointer for a set of permissions.3. The method of including assigning the set of permissions to a context.4. The method of including switching root pointers.5. The method of including flushing permission caches.6. The method of including offloading kernel scheduling to a graphics processor.7. The method of including enabling the graphics processor to switch root pointers.8. The method of including setting up a context for a co-processor in VMX-nonroot.9. The method of including sending the context to the VMX-root.10. The method of including extracting access control information for the context in the VMX-root.11. A non-transitory computer readable medium storing instructions to enable a processor to perform:enabling access control contexts to be changed using a VMX-nonroot instruction and without transitioning to the VMX-root.12. The medium of further storing instructions to perform a method including setting up access tables with a unique root pointer for a set of permissions.13. The medium of further storing instructions to perform a method including assigning the set of permissions to a context.14. The medium of further storing instructions to perform a method including switching root pointers.15. The medium of further storing instructions to perform a method including flushing permission caches.16. The medium of further storing instructions to perform a method including offloading kernel scheduling to a graphics processor.17. The medium of further storing instructions to perform a method including enabling the graphics processor to switch root pointers.18. ...

Подробнее
Номер записи: 50
07-02-2019 дата публикации

SECURE KEY SHARING BETWEEN A SENSOR AND A COMPUTING PLATFORM USING SYMMETRIC KEY CRYPTOGRAPHY

Номер: US20190044708A1
Автор: Dewan Prashant
Принадлежит:

Technologies disclosed herein provide an apparatus comprising a sensor including a first processor configured to execute first instructions to identify, based on an index, a first encrypted key of a first set of encrypted keys, identify, based on the index, a second encrypted key of a second set of encrypted keys, and extract a first trusted symmetric key from the first encrypted key using a first decryption algorithm and a first decryption key. The apparatus further comprises a computing platform coupled to the sensor and including a memory element and a processor configured to execute second instructions stored in the memory element to receive the second encrypted key from the sensor and extract a second trusted symmetric key from the second encrypted key using a second decryption algorithm and a second decryption key, where the first trusted symmetric key matches the second trusted symmetric key. 19.-. (canceled)1125.-. (canceled)26. An apparatus , comprising: identify, based on an index, a first encrypted key of a first set of encrypted keys;', 'identify, based on the index, a second encrypted key of a second set of encrypted keys; and', 'extract a first trusted symmetric key from the first encrypted key using a first decryption algorithm and a first decryption key; and, 'a sensor including a first processor configured to execute first instructions to receive the second encrypted key from the sensor; and', 'extract a second trusted symmetric key from the second encrypted key using a second decryption algorithm and a second decryption key, wherein the first trusted symmetric key matches the second trusted symmetric key., 'a computing platform coupled to the sensor and including a memory element and a second processor configured to execute second instructions stored in the memory element to27. The apparatus of claim 26 , wherein the second processor is configured to execute the second instructions to:randomly select the index; andsend the index to the sensor prior ...

Подробнее
Номер записи: 51
07-02-2019 дата публикации

TECHNIQUES TO ENFORCE POLICIES FOR COMPUTING PLATFORM RESOURCES

Номер: US20190044977A1
Автор: Chhabra Siddhartha, Dewan Prashant
Принадлежит:

Various embodiments are generally directed to techniques to enforce policies for computing platform resources, such as to prevent denial of service (DoS) attacks on the computing platform resources. Some embodiments are particularly directed to ISA instructions that allow trusted software/applications to securely enforce policies on a platform resource/device while allowing untrusted software to control allocation of the platform resource. In many embodiments, the ISA instructions may enable secure communication between a trusted application and a platform resource. In several embodiments, a first ISA instruction implemented by microcode may enable a trusted application to wrap policy information for secure transmission through an untrusted stack. In several such embodiments, a second ISA instruction implemented by microcode may enable untrusted software to verify the validity of the wrapped blobs and program registers associated with the platform resource with policy information provided via the wrapped blobs. 1. An apparatus , the apparatus comprising:a processor; and generate a wrapped lock policy and a wrapped unlock policy with a first instruction set architecture (ISA) instruction implemented by microcode based on policy data provided by trusted software, wherein the wrapped lock policy includes a policy setting for a platform resource based on the policy data;', 'communicate the wrapped lock policy and the wrapped unlock policy to untrusted system software;', 'verify the wrapped lock policy and the wrapped unlock policy with a second ISA instruction implemented by microcode;', 'determine generation of the wrapped lock policy and the wrapped unlock policy are associated with a common owner identifier; and', 'store the policy setting in a policy register to program the platform resource for use by the trusted software with the second ISA instruction based on verification of the wrapped lock policy and the wrapped lock policy and determination the wrapped lock ...

Подробнее
Номер записи: 52
07-02-2019 дата публикации

SECURE REPORTING OF PLATFORM STATE INFORMATION TO A REMOTE SERVER

Номер: US20190045016A1
Автор: Chhabra Siddhartha, Dewan Prashant, Herbert Howard C., Sengupta Uttam K.
Принадлежит: Intel Corporation

Technologies disclosed herein provide a method for receiving at a device from a remote server, a request for state information from a first processor of the device, obtaining the state information from one or more registers of the first processor based on a request structure indicated by a first instruction of a software program executing on the device, and generating a response structure based, at least in part, on the obtained state information. The method further includes using a cryptographic algorithm and a shared key established between the device and the remote server to generate a signature based, at least in part, on the response structure, and communicating the response structure and the signature to the remote server. In more specific embodiments, both the response structure and the request structure each include a same nonce value. 1. At least one machine readable medium comprising one or more instructions stored thereon , the one or more instructions when executed by one or more processors cause the one or more processors to:receive, from a remote server, a request for state information from a first processor;obtain the state information from one or more registers in the first processor based on a request structure indicated by a first instruction of the one or more instructions;generate a response structure based, at least in part, on the obtained state information;generate a signature based, at least in part, on the response structure, a cryptographic algorithm, and a shared key established between the one or more processors and the remote server; andcommunicate the response structure and the signature to the remote server.2. The at least one machine readable medium of claim 1 , wherein the response structure and the request structure each include a same nonce value.3. The at least one machine readable medium of claim 1 , wherein the first instruction claim 1 , when executed by the one or more processors claim 1 , cause the one or more processors to: ...

Подробнее
Номер записи: 53
15-02-2018 дата публикации

TECHNIQUES FOR ENFORCING A DEPTH ORDER POLICY FOR GRAPHICS IN A DISPLAY SCENE

Номер: US20180047307A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David, Kang Xiaozhu, Savagaonkar Uday R., Sengupta Uttam
Принадлежит: Intel Corporation

Various embodiments are generally directed an apparatus and method for processing an encrypted graphic with a decryption key associated with a depth order policy including a depth position of a display scene, generating a graphic from the encrypted graphic when the encrypted graphic is successfully decrypted using the decryption key and assigning the graphic to a plane at the depth position of the display scene when the encrypted graphic is successfully decrypted. 125.-. (canceled)26. An apparatus , comprising:a memory; and generate a depth order policy based on a request from an application, the request from the application to include an encryption key unique to the application;', 'assign the depth order policy to a graphic;', 'identify a notice to send the graphic to a policy enforcement module (PEM) based on a determination the depth order policy is enforceable;', 'encrypt the graphic with the encryption key unique to the application; and', 'communicate an encrypted version of the graphic to the PEM., 'logic, at least a portion of the logic implemented in circuitry coupled to the memory, the logic to27. The apparatus of claim 26 , the depth order policy to indicate a depth position in one or a set of layers of a display scene.28. The apparatus of claim 26 , the logic to communicate the depth order policy to the PEM for the determination the depth order policy is enforceable.29. The apparatus of claim 26 , the logic to discard the encryption key unique to the application in response to communication of the encrypted version of the graphic to the PEM.30. The apparatus of claim 26 , the request from the application to include a key pair comprising the encryption key unique to the application and a decryption key unique to the application.31. The apparatus of claim 30 , the logic to associate the key pair with the graphic and the depth order policy.32. The apparatus of claim 30 , the logic to generate a depth order package comprising the depth order policy claim 30 , ...

Подробнее
Номер записи: 54
08-05-2014 дата публикации

Protecting Systems from Unauthorized Access to System Resources Using Browser Independent Web Page Technology

Номер: US20140130187A1
Автор: Durham David M., LI HONG, Prashant Dewan
Принадлежит:

In some embodiments, a filter may filter web graphics library code executing on the graphics processing unit. As a result the web graphics library code may be prevented from accessing memory or other resources that are not allocated specifically for the web graphics library module. Likewise web graphics library code may not access any shared resources that have been explicitly assigned to the process specific web graphics library module. 1. A method comprising:compiling a browser independent web page technology code in a sandbox run on a graphics processing unit;filtering the compiled code based on user security configuration to limit resources accessible said code; andpreventing the compiled, filtered browser independent web page technology code from accessing a resource not specifically allocated to the code.2. The method of including preventing access in a graphics processing unit.3. The method of including compiling the code and generating an access control map for the code to control access rights for the code.4. The method of including checking a write by said code to determine if the access rights of the code permit the write.5. The method of including aborting the write if the write does not comply with the code's access policies rights.6. The method of including providing protection to the code running on a device from other code running on that device.7. The method of including providing restrictions that prevent the code from maliciously tampering with other code or data on the device.8. The method of including exposing said protection or restriction to a programmer using a scripting language.9. The method of including providing an out-of-band channel to describe restrictions beyond a browser session.10. The method of wherein preventing code including preventing at least one of web graphics library or web computing language code from accessing a resource not specifically allocated to that code.11. One or more non-transitory computer readable media storing ...

Подробнее
Номер записи: 55
17-03-2022 дата публикации

HARDWARE-ASSISTED PRIVACY PROTECTION USING A SECURE USER INTERFACE WITH MULTI-LEVEL ACCESS CONTROL OF SENSOR DATA

Номер: US20220083678A1
Автор: Dewan Prashant, Divakaran Sudeep, Narjala Ranjit Sivaram
Принадлежит: Intel Corporation

Technologies provide hardware-assisted privacy protection of sensor data. One embodiment includes unlocking a user interface coupled to a trusted execution environment of a processor in a device, where the user interface includes a plurality of selectable settings associated with a plurality of access levels for sensor data captured by a sensor. The embodiment also includes receiving a selection signal from the user interface indicating that a user selected a first setting associated with a first access level for the sensor data captured by the sensor, and restricting access to the sensor data based on a first set of one or more entities associated with the first access level. In more specific embodiments, the user interface includes a knob that is rotatably attached to a housing of the device or a privacy panel including a slider bar that is to be displayed on a touch screen display of the device. 1. (canceled)2. An apparatus , comprising: receive a selection signal from a user interface indicating that a user selected a first setting of a plurality of selectable settings included in the user interface, the plurality of selectable settings associated with a plurality of access levels for first sensor data captured by a first sensor, the plurality of access levels to correspond to respective combinations of entities to access the first sensor data, wherein the first setting is to be associated with a first access level corresponding to a first combination of entities to access the first sensor data captured by the first sensor; and', 'restrict access to the first sensor data to the first combination of entities specified by the first access level., 'a processor including a trusted execution environment (TEE), wherein the TEE is to3. The apparatus of claim 2 , wherein the first setting is to be selected by the user for a particular combination of sensors including the first sensor.4. The apparatus of claim 3 , wherein the sensors of the particular combination of ...

Подробнее
Номер записи: 56
11-03-2021 дата публикации

SECURING DATA DIRECT I/O FOR A SECURE ACCELERATOR INTERFACE

Номер: US20210073145A1
Автор: Basak Abhishek, Chhabra Siddhartha, Dewan Prashant, Durham David M.
Принадлежит: Intel Corporation

The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs). 120-. (canceled)21. An apparatus , comprising:cache memory; and encrypt a key identification (ID) and an encryption key into an encryption package unreadable by a virtual machine or a virtual machine manager;', 'provide the encryption package to trusted software to cause the key ID to be programmed by the virtual machine or the virtual machine manager into a direct data input output (DDIO) circuitry to be coupled to the one or more processor cores, the DDIO circuitry configured to transfer DDIO data between the cache memory and an accelerator circuitry and to encrypt and decrypt DDIO data for the accelerator circuitry;', 'after providing the encryption package to the trusted software, receive the encryption package with an unwrap command from the virtual machine or the virtual machine manager; and', 'execute the unwrap command by decrypting the encryption package and by sending a cryptographic response to the virtual machine or virtual machine manager verifying that the unwrap command was successfully executed., 'one or more processor cores communicatively coupled to the cache memory, the one or more processor cores to22. The apparatus of claim 21 , wherein the one or more processor cores are to encrypt in ...

Подробнее
Номер записи: 57
05-06-2014 дата публикации

Secure Environment for Graphics Processing Units

Номер: US20140157410A1
Автор: Balaji Vembu, Chhabra Siddhartha, Dewan Prashant, Durham David M., Goldsmith Michael, Grewal Karanvir S., JANUS SCOTT, Kang Xiaozhu, Martin Jason, McKeen Frank X, Narendra Trivedi Alpha T., Rozas Carlos, Sahita Ravi L., Savagaonkar Uday R., Schmitz Paul S., Strongin Geoffrey S.
Принадлежит:

In accordance with some embodiments, a protected execution environment may be defined for a graphics processing unit. This framework not only protects the workloads from malware running on the graphics processing unit but also protects those workloads from malware running on the central processing unit. In addition, the trust framework may facilitate proof of secure execution by measuring the code and data structures used to execute the workload. If a part of the trusted computing base of this framework or protected execution environment is compromised, that part can be patched remotely and the patching can be proven remotely throughout attestation in some embodiments. 1. A method comprising:creating a trusted framework for another processing unit on a central processing unit by providing an enclave on the central processing unit to build a protected module on the another processing unit.2. The method of including enabling the enclave to communicate with the module via a cache in memory shared between said central processing unit and said another processing unit.3. The method of including storing code and data used by said module in said cache.4. The method of including creating said cache in memory inaccessible by an operating system on said central processing unit.5. The method of including executing an application on said central processing unit to launch said enclave.6. The method of including using said enclave to convert module code to binary code.7. The method of including verifying a workload in said enclave and loading code and data from said workload to create said module.8. The method of including causing an untrusted kernel driver to execute enclave supplied code to invoke said module.9. The method of including causing the module to write execution results to said enclave.10. The method of including creating a framework for another processing unit including processing graphics.11. The method of including asserting correctness of the module to a remote ...

Подробнее
Номер записи: 58
26-03-2015 дата публикации

Secure video ouput path

Номер: US20150086012A1
Автор: Balaji Vembu, David M. Durham, Jason Martin, Prashant Dewan, Scott Janus, Siddhartha Chhabra, Uday R. Savagaonkar, Vincent R. Scarlata, Xiaozhu Kang
Принадлежит: Intel Corp

Systems and methods for secure delivery of output surface bitmaps to a display engine. An example processing system comprises: an architecturally protected memory; and a processing core communicatively coupled to the architecturally protected memory, the processing core comprising a processing logic configured to implement an architecturally-protected execution environment by performing at least one of: executing instructions residing in the architecturally protected memory and preventing an unauthorized access to the architecturally protected memory; wherein the processing logic is further configured to provide a secure video output path by generating an output surface bitmap encrypted with a first encryption key and storing an encrypted first encryption key in an external memory, wherein the encrypted first encryption key is produced by encrypting the first encryption key with a second encryption key.

Подробнее
Номер записи: 59
24-03-2016 дата публикации

TECHNOLOGIES FOR MULTI-FACTOR SECURITY ANALYSIS AND RUNTIME CONTROL

Номер: US20160088019A1
Автор: Dewan Prashant, LI HONG
Принадлежит:

Technologies for client-level web application runtime control and multi-factor security analysis by a computing device include receiving application code associated with a browser-based application from a web server. The computing device collects real-time data generated by at least one sensor of the computing device and performs a multi-factor security assessment of the browser-based application as a function of the collected real-time data and the application code. Further, the computing device establishes a client-level web application runtime security policy associated with the browser-based application in response to performing the multi-factor security assessment and enforces the client-level web application runtime security policy. 1. A computing device for client-level web application runtime control and multi-factor security analysis , the computing device comprising:at least one sensor;a browser to receive application code associated with a browser-based application from a web server; anda web security module to (i) collect real-time data generated by the at least one sensor, (ii) perform a multi-factor security assessment of the browser-based application as a function of the collected real-time data and the application code, (iii) determine whether the application code is modifiable to eliminate execution of impermissible code in response to an indication of the multi-factor security assessment that the application code includes the impermissible code, (iv) modify the application code in response to a determination that the application code is modifiable to eliminate the execution of the impermissible code, (v) establish a client-level web application runtime security policy associated with the browser-based application in response to the multi-factor security assessment, and (vi) enforce the client-level web application runtime security policy on the computing device,wherein the client-level web application runtime security policy identifies at least one ...

Подробнее
Номер записи: 60
31-03-2022 дата публикации

PLATFORM SECURITY MECHANISM

Номер: US20220100863A1
Автор: Dewan Prashant, Patel Baiju
Принадлежит: Intel Corporation

An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys. 1. An apparatus comprising:{'claim-text': ['a storage drive;', 'a host controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys;', 'a encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys; and', 'a security controller to receive the cryptographic keys from a physically unclonable function (PUF) engine and provide the cryptographic keys to the encryption engine via the one or more key slots.'], '#text': 'a non-volatile memory, including:'}2. The apparatus of claim 1 , wherein the one or more cryptographic keys are programmed into the controller during manufacture of the non-volatile memory.3. The apparatus of claim 1 , wherein the security controller receives the cryptographic keys from a fuse controller.4. The apparatus of claim 1 , wherein the non-volatile memory further comprises Basic Input/Output System (BIOS) firmware to provision an operating system image into the non-volatile memory during a booting process.5. The apparatus of claim 4 , wherein the BIOS firmware reads a security header included in the operating system image.6. The apparatus of claim 5 , wherein the security header provides an indication of storage blocks in the storage drive storing the operating system image as plain text.7. The apparatus of claim 6 , wherein the BIOS firmware configures the host controller to not ...

Подробнее
Номер записи: 61
31-03-2022 дата публикации

PLATFORM SECURITY MECHANISM

Номер: US20220100864A1
Автор: Dewan Prashant, Patel Baiju
Принадлежит: Intel Corporation

An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys. 1. An apparatus to facilitate security within a computing system , comprising:{'claim-text': ['a storage drive;', 'a Peripheral Component Interconnect Express (PCIe) controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys; and', 'an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.'], '#text': 'a non-volatile memory, including:'}2. The apparatus of claim 1 , wherein the one or more cryptographic keys are programmed into the PCIe controller during manufacture of the non-volatile memory.3. The apparatus of claim 2 , further comprising a security controller to generate the cryptographic keys.4. The apparatus of claim 3 , wherein the security controller receives the cryptographic keys from a physically unclonable function (PUF) engine.5. The apparatus of claim 3 , wherein the security controller receives the cryptographic keys from a fuse controller.6. The apparatus of claim 1 , wherein the non-volatile memory further comprises Basic Input/Output System (BIOS) firmware to provision an operating system image into the non-volatile memory during a booting process.7. The apparatus of claim 1 , wherein the BIOS firmware reads a security header included in the operating system image.8. The apparatus of claim 7 , wherein the security header provides an indication of storage blocks in the storage ...

Подробнее
Номер записи: 62
31-03-2022 дата публикации

PLATFORM SECURITY MECHANISM

Номер: US20220100865A1
Автор: Dewan Prashant, Patel Baiju
Принадлежит: Intel Corporation

An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys. 1. An apparatus comprising:{'claim-text': ['security controller to generate cryptographic keys; and', 'a host controller comprising a trusted port having one or more key slots to receive the cryptographic keys from the security controller; and', 'an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.'], '#text': 'a computing platform, including'}2. The apparatus of claim 1 , wherein the security controller receives the cryptographic keys from a physically unclonable function (PUF) engine.3. The apparatus of claim 2 , wherein the security controller receives the cryptographic keys from a fuse controller.4. The apparatus of claim 1 , wherein the platform further comprises Basic Input/Output System (BIOS) firmware to provision an operating system image during a booting process.5. The apparatus of claim 4 , wherein the BIOS firmware reads a security header included in the operating system image.6. The apparatus of claim 5 , wherein the security header provides an indication of storage blocks in the storage drive storing the operating system image as plain text.7. The apparatus of claim 6 , wherein the BIOS firmware configures the host controller to not decrypt storage blocks in the storage device indicated in the security header.8. The apparatus of claim 7 , wherein the BIOS reads the operating system image from the storage blocks.9. The ...

Подробнее
Номер записи: 63
31-03-2022 дата публикации

PLATFORM SECURITY MECHANISM

Номер: US20220100866A1
Автор: Dewan Prashant, Patel Baiju
Принадлежит: Intel Corporation

An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys. 1. An apparatus comprising:{'claim-text': ['a storage drive; and', 'a host controller to program one or more cryptographic keys;', 'an encryption engine to receive the cryptographic keys, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys; and'], '#text': 'a non-volatile memory, including:'}one or more processors to execute Basic Input/Output System (BIOS) firmware to provision an operating system image into the non-volatile memory during a booting process and configure the host controller to not decrypt one or more storage blocks in the storage device.2. The apparatus of claim 1 , wherein the BIOS firmware reads a security header included in the operating system image that provides an indication of storage blocks in the storage drive storing the operating system image as plain text.3. The apparatus of claim 2 , wherein the BIOS firmware configures the controller to not decrypt the storage blocks indicated in the security header.4. The apparatus of claim 3 , wherein the BIOS reads the operating system image from the storage blocks.5. The apparatus of claim 4 , wherein the host controller encrypts the operating system image via the cryptographic keys and stores the encrypted operating system image to the storage drive.6. The apparatus of claim 5 , wherein the one or more cryptographic keys are programmed into the host controller during manufacture of the non-volatile memory.7. The apparatus of claim 5 , further ...

Подробнее
Номер записи: 64
21-03-2019 дата публикации

METHOD AND APPARATUS TO PROVIDE SECURE APPLICATION EXECUTION

Номер: US20190087586A1
Автор: Altman Asher, Brickell Ernie, Cihula Joseph, Dewan Prashant, Durham David, Garney John, Goldsmith Michael A., Graunke Gary, Herbert Howard C., Jeyasingh Stalinselvaraj, Johnson Simon P., Li Jiang Tao, Lint Bernard, MCKEEN FRANCIS X., Neiger Gilbert, Rodgers Dion, Rozas Carlos V., Savagaonkar Uday R., Scarlata Vincent, Tolopka Stephen J., Van Doren Stephen R., Van Dyke Don A.
Принадлежит:

A technique to enable secure application and data integrity within a computer system. In one embodiment, one or more secure enclaves are established in which an application and data may be stored and executed. 1. A system comprising a memory and a processor , the processor comprising:execution logic to perform at least a first instruction to move protected data between an enclave page cache (EPC) and a second storage area during execution of a program accessing the protected data, wherein the program is to run in a protected mode.2. The system of claim 1 , wherein the processor further comprises a security map (SMAP) is to help ensure integrity of the program when the program is stored in a hard disk drive or protected memory.3. The system of claim 1 , wherein the execution logic is further to perform a first instruction to identify a software thread running in a secure enclave claim 1 , wherein the first instruction is to inform a user's program of the identity of the software thread.4. The system of claim 3 , wherein the execution logic is further to perform at least a first instruction to dynamically access at least one information field to determine integrity of data stored in the secure enclave claim 3 , wherein the at least one information field includes a secure map (SMAP) field and a security information (SEC_INFO) field.5. The system of claim 1 , wherein the execution logic is further to perform a first instruction to report a state of a secure enclave stored in memory to either a local or remote agent.6. The system of claim 1 , wherein the processor further comprises:a crypto memory aperture (CMA) to protect software program against attacks when the software program is executing; and a secure map (SMAP) to protect the software program when the software program is not executing.7. The system of claim 1 , wherein the execution logic is further to perform at least one secure enclave access instruction to allocate or de-allocate memory or software threads ...

Подробнее
Номер записи: 65
05-05-2022 дата публикации

Method and apparatus for firmware patching

Номер: US20220137955A1
Автор: AGGARWAL NIVEDITA, Banik Subrata, Dewan Prashant, Dwarakanath Kumar, Patel Baiju V., Shwartz Ofir, SIAM Yazan, Zimmer Vincent
Принадлежит:

A method of handling a firmware update for a device is disclosed, comprising: determining a device to be in an updatable state; setting the device into an updating state after determining the updatable state; and after the device is in the updating state, writing a firmware update to memory for the device. After writing the firmware update, the device is switchable to a working state in which the device operates based on the firmware update.

Подробнее
Номер записи: 66
05-05-2022 дата публикации

GRAPHICS SECURITY WITH SYNERGISTIC ENCRYPTION, CONTENT-BASED AND RESOURCE MANAGEMENT TECHNOLOGY

Номер: US20220141026A1
Автор: Ben-Shalom Omer, Dewan Prashant, Kumar Gaurav, LAL RESHMA, Nayshtut Alex, Pappachan Pradeep, Poornachandran Rajesh, Smith Ned M.
Принадлежит:

Methods, apparatuses and system provide for technology that interleaves a plurality of verification commands with a plurality of copy commands in a command buffer, wherein each copy command includes a message authentication code (MAC) derived from a master session key, wherein one or more of the plurality of verification commands corresponds to a copy command in the plurality of copy commands, and wherein a verification command at an end of the command buffer corresponds to contents of the command buffer. The technology may also add a MAC generation command to the command buffer, wherein the MAC generation command references an address of a compute result.

Подробнее
Номер записи: 67
28-03-2019 дата публикации

TECHNOLOGIES FOR A MEMORY ENCRYPTION ENGINE FOR MULTIPLE PROCESSOR USAGES

Номер: US20190095351A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David M., Elbaz Reouven, Narasimhan Krishnakumar
Принадлежит:

Technologies for secure memory usage include a computing device having a processor that includes a memory encryption engine and a memory device coupled to the processor. The processor supports multiple processor usages, such as secure enclaves, system management firmware, and a virtual machine monitor. The memory encryption engine is configured to protect a memory region stored in the memory device for a processor usage. The memory encryption engine restricts access to one or more configuration registers to a trusted code base of the processor usage. The processor executes the processor usage and the memory encryption engine protects contents of the memory region during execution. The memory encryption engine may access integrity metadata based on the address of the protected memory region. The memory encryption engine may prepare top-level counter metadata for entering a low-power state. Other embodiments are described and claimed. 1. A computing device for secure memory usage , the computing device comprising:a processor that includes a memory encryption engine, wherein the processor supports a plurality of processor usages;a memory device coupled to the processor; andconfiguration logic to configure the memory encryption engine to protect a first memory region for a first processor usage of the plurality of processor usages, wherein the first memory region is stored by the memory device;wherein the processor is to execute the first processor usage in response to configuration of the memory encryption engine; andwherein the memory encryption engine is to protect contents of the first memory region in response to execution of the first processor usage.2. The computing device of claim 1 , wherein:to configure the memory encryption engine comprises to write a configuration value to a configuration register of the memory encryption engine, wherein the configuration register is associated with the first processor usage; andthe memory encryption engine is to restrict ...

Подробнее
Номер записи: 68
04-04-2019 дата публикации

TECHNOLOGIES FOR SECURE Z-ORDER ENFORCEMENT WITH TRUSTED DISPLAY

Номер: US20190103074A1
Автор: Chhabra Siddhartha, Dewan Prashant
Принадлежит:

Technologies for secure z-order enforcement include a computing device having a processor with secure enclave support. A secure enclave invokes an EBIND instruction with display programming information that includes a z-order enforcement policy indicating whether the secure enclave requests z-order enforcement for an overlay surface associated with the secure enclave. The processor generates wrapped programming information in response to invoking the EBIND instruction. An untrusted supervisor component such as a device driver invokes an UNWRAP instruction with the wrapped programming information. The processor unwraps the wrapped programming information and programs a display controller with the z-enforcement policy. The processor may read a z-order enforcement status register of the display controller to determine if an overlay surface is available. For z-order enforcement, the display controller composes the overlay surface associated with the secure enclave in front of all other overlay surfaces of the display controller. Other embodiments are described and claimed. 1. A computing device for secure display z-order enforcement , the computing device comprising:a display controller;a trusted execution environment to invoke a first processor instruction with display programming information that includes a z-order enforcement policy, wherein the z-order enforcement policy indicates whether the trusted execution environment requests z-order enforcement for an overlay surface associated with the trusted execution environment;a processor that includes a wrapping engine to generate wrapped programming information based on the display programming information in response to invocation of the first processor instruction, wherein the wrapped programming information comprises a message authentication code over the z-order enforcement policy; andan untrusted supervisor component to invoke a second processor instruction with the wrapped programming information;wherein the ...

Подробнее
Номер записи: 69
21-04-2016 дата публикации

INTERFACE BETWEEN A DEVICE AND A SECURE PROCESSING ENVIRONMENT

Номер: US20160110540A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David, Kang Xiaozhu, NARENDRA TRIVEDI Alpa, Savagaonkar Uday
Принадлежит: Intel Corporation

Embodiments of an invention for an interface between a device and a secure processing environment are disclosed. In one embodiment, a system includes a processor, a device, and an interface plug-in. The processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to create a secure processing environment. The execution unit is to execute an application in the secure processing environment. The device is to execute a workload for the application. The interface plug-in is to provide an interface for the device to enter the secure processing environment to execute the workload. 1. A system comprising: an instruction unit to receive a first instruction, wherein the first instruction is to create a secure processing environment, and', 'an execution unit to execute an application in the secure processing environment;, 'a processor including'}a device to execute a workload for the application; andan interface plug-in to provide an interface for the device to enter the secure processing environment to execute the workload.2. The system of claim 1 , further comprising a memory space reserved for the secure processing environment.3. The system of claim 2 , wherein the interface plug-in includes a first access control unit to control access from the device to the memory space reserved for the secure processing environment.4. The system of claim 3 , wherein the first access control unit is to allow the device to access only a first subset of the memory space reserved for the secure processing environment.5. The system of claim 4 , further comprising a second access control unit to allow the processor to access the first subset and a second subset of the memory space reserved for the secure processing environment.6. The system of claim 5 , further comprising an input/output memory management unit to translate a first address provided by the device to a second address for accessing the memory space.7. The system of claim 6 , ...

Подробнее
Номер записи: 70
04-04-2019 дата публикации

SYSTEM AND TECHNIQUES FOR ENCRYPTING CHIP-TO-CHIP COMMUNICATION LINKS

Номер: US20190103961A1
Автор: Chhabra Siddhartha, Dewan Prashant
Принадлежит:

Embodiments detailed herein relate to techniques which enable the creation of secure point-to-point interconnect communication channels between hardware components which may be independently manufactured and arbitrarily paired with one another in a computer system. Also detailed herein is instruction support for dynamically enabling and disabling the security of a point-to-point interconnect link. 1. An apparatus , comprising:a processing core; establish a first secure communication channel between the processing core and a hardware component that is coupled to the I/O port via a point-to-point interconnect, wherein the first secure communication channel is established using a public key exchange protocol, and', 'send a cryptographic key to the hardware component using the first secure communication channel, the cryptographic key used to establish a second secure communication channel between the processing core and a device coupled to the hardware component., 'an input/output (I/O) port, coupled to the processing core, having circuitry to2. The apparatus of claim 1 , wherein the hardware component is an I/O controller hub supporting one or more I/O devices.3. The apparatus of claim 1 , wherein the hardware component is an I/O controller hub and the device coupled to the hardware component is a secure sensor.4. The apparatus of claim 1 , wherein sending the cryptographic key to the hardware component using the first secure communication channel includes encrypting the cryptographic key using a public key of a public-private key pair created by the public key exchange protocol.5. The apparatus of claim 1 , wherein the I/O port further has circuitry to decrypt data received from the hardware component using a private key of a public-private key pair created using the public key exchange protocol.6. The apparatus of claim 1 , wherein the I/O port further has circuitry to store claim 1 , in a buffer claim 1 , data related to at least one operation to be performed ...

Подробнее
Номер записи: 71
03-07-2014 дата публикации

WEB APPLICATION CONTAINER FOR CLIENT-LEVEL RUNTIME CONTROL

Номер: US20140189778A1
Автор: Dewan Prashant, LI HONG
Принадлежит:

Technologies for establishing client-level web application runtime control using a computing device include receiving application code for a browser-based application from a web server and generating machine-executable code and an access control map for the application code. The computing device receives application security information associated with the application code from local and/or remote security applications and performs a security assessment of the application code based on the application security information and the access control map. Further, the computing device establishes a runtime security policy for the browser-based application and enforces that policy. 1. A computing device for establishing client-level web application runtime control , the computing device comprising:a browser to receive application code associated with a browser-based application from a web server;a browser security interface to generate machine-executable code and an access control map for the application code; anda web security module to (i) receive application security information associated with the application code from one or more security applications, (ii) perform a security assessment of the browser-based application as a function of the application security information and the access control map, (iii) establish a client-level web application runtime security policy associated with the browser-based application in response to performing the security assessment, and (iv) enforce the established client-level web application runtime security policy on the computing device,wherein the client-level web application runtime security policy is to identify hardware access rules to be enforced on the computing device.2. The computing device of claim 1 , wherein the browser-based application comprises a Hypertext Markup Language 5 (HTML 5) application.3. The computing device of claim 1 , wherein:the access control map is a function of at least one of design time rules for the ...

Подробнее
Номер записи: 72
28-04-2016 дата публикации

COMPUTING PLATFORM SECURITY METHODS AND APPARATUS

Номер: US20160117497A1
Автор: Cablao Debra, Dewan Prashant, Dunbar Adrian M.M.T., Durham David Michael, Hughes Michael S., Saxena Paritosh, Schmugar Craig D., Surprise Jason M., Teddy John, Triantafillou Nicholas D., Vembu Balaji
Принадлежит:

Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution. 182.-. (canceled)83. A method , comprising:establishing a trusted channel between a graphics driver and an application driver via mutual authentication of the graphics driver and the application;offloading, via the trusted channel, a computing task associated with the application driver to a graphics processing unit; andconfiguring a monitor to monitor memory associated with the offloaded computing task for an unauthorized access attempt.84. A method as defined in claim 83 , wherein configuring the monitor comprises defining a policy for a hypervisor having a highest privilege level of a computing platform to monitor the memory.85. A method as defined in claim 83 , further comprising configuring the monitor to operate outside an operating system.86. A method as defined in claim 83 , wherein the monitor is implemented via a Trusted Memory Services Layer.87. A method as defined in claim 83 , further comprising isolating the memory associated with the offloaded computing task from second memory associated with an image rendering task executed by the graphics processing unit.88. A method as defined in claim 83 , wherein the application driver corresponds to a security application claim 83 , and the computing task comprises a memory scanning operation to detect a pattern associated with malware.89. A method as defined in claim 83 , wherein establishing the trusted channel is performed in ...

Подробнее
Номер записи: 73
28-04-2016 дата публикации

COMPUTING PLATFORM SECURITY METHODS AND APPARATUS

Номер: US20160117498A1
Автор: Cablao Debra, Dewan Prashant, Dunbar Adrian M.M.T., Durham David Michael, Hughes Michael S., Saxena Paritosh, Schmugar Craig D., Surprise Jason M., Teddy John, Triantafillou Nicholas D., Vembu Balaji
Принадлежит:

Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution. 1114.-. (canceled)115. A method , comprising:defining a sliding window;selecting a plurality of processes to be monitored via the sliding window;shifting the sliding window through a progression of the plurality of processes; andmapping memory within the sliding window to a virtual address space.116. A method as defined in claim 115 , further comprising defining a condition to determine an aspect of a first one of the plurality of processes to be mapped to the virtual address space.117. A method as defined in claim 115 , wherein defining the sliding window comprises selecting a window size.118. A method as defined in claim 115 , further comprising executing a scan of the mapped memory.119. A method as defined in claim 118 , further comprising verifying a match found by the scan of the mapped memory.120. A method as defined in claim 115 , wherein shifting the sliding window through the progression of the plurality of processes comprising shifting the sliding window after the memory of a current iteration is mapped to the virtual address space.121. A method as defined in claim 115 , wherein the virtual address space corresponds to a user-mode client of a computing platform.122. An apparatus claim 115 , comprising:a window size definer to define a sliding window;a process selector to select a plurality of processes to be monitored via the sliding window;a driver to shift the sliding window ...

Подробнее
Номер записи: 74
03-05-2018 дата публикации

DIFFERENTIATED CONTAINERIZATION AND EXECUTION OF WEB CONTENT BASED ON TRUST LEVEL AND OTHER ATTRIBUTES

Номер: US20180124057A1
Автор: Dewan Prashant, Li Hong C., Vicente John B.
Принадлежит:

Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container. 1a browser interface to receive web content;a container designation module to determine a trust level associated with the web content; andan environment module to map the web content to an execution environment based at least in part on the trust level.. An apparatus to differentiate web content, comprising: This patent arises from a continuation of U.S. patent application Ser. No. 13/830,634, filed on Mar. 14, 2013, entitled “ DIFFERENTIATED CONTAINERIZATION AND EXECUTION OF WEB CONTENT BASED ON TRUST LEVEL AND OTHER ATTRIBUTES ”, which is incorporated herein by reference in its entirety.Embodiments generally relate to access controls for web-based applications. More particularly, embodiments relate to differentiated containerization and execution of web content based on trust level and other attributes.Emerging markup languages such as HTML5 (Hypertext Markup Language 5, e.g., HTML5 Editor's Draft 8 May 2012, World Wide Web Consortium/W3C, www*w3*org). LLVM (e.g., LLVM 3.1, May 22, 2012, llvm.org), and other runtime or just in time (JIT) environment languages may support more robust multimedia related web platform development. The use of these languages by a web application developer, however, may also expose client device hardware that would otherwise be inaccessible by traditional web content. While recently developed “sandboxing” solutions may provide some level of protection by preventing certain functions when code is sent as part of a web page, there remains considerable room for improvement. For example, conventional sandboxing solutions may not adequately distinguish between trustworthy sources of web content and untrustworthy sources of web ...

Подробнее
Номер записи: 75
25-08-2022 дата публикации

Asymmetric Device Attestation Using Physically Unclonable Functions

Номер: US20220271955A1
Автор: Dewan Prashant, Patel Baiju
Принадлежит: Intel Corporation

In one example, a system for asymmetric device attestation includes a physically unclonable function (PUF) configured to generate a response to a challenge. A pseudo-random number generator generates a set of random numbers based on the response. A key generator determines co-prime numbers in the set of random numbers and generates a key pair using the co-prime numbers, wherein the public key is released to a manufacturer of the component for attestation of authenticity of the component. Through extending the PUF circuitry with a pseudo-random number generator, the present techniques are able to withstand unskilled and skilled hardware attacks, as the secret derived from the PUF is immune to extraction. 1. A system for asymmetric device attestation , comprising:a physically unclonable function (PUF) corresponding to circuitry of a component of a device, configured to generate a response to a challenge; and a key generator to generate a key based on the response;', 'a pseudo-random number generator to generate a set of random numbers based on the key;', 'the key generator to receive the set of random numbers, determine co-prime numbers in the set of random numbers, and generate a key pair using the co-prime numbers, and', 'wherein a public key of the key pair is released to a manufacturer of the component for attestation of authenticity of the component., 'a hardware component comprising2. The system of claim 1 , comprising the pseudo-random number generator to terminate the generation of the set of random numbers in response to the key generator determining co-prime numbers in the set of random numbers.3. The system of claim 1 , wherein the public key and the challenge are transmitted to the manufacturer claim 1 , and in response the manufacturer attests to the authenticity of the component by issuing a certificate.4. The system of claim 1 , wherein the PUF is one of an optical PUF or silicon PUF.5. The system of claim 1 , wherein the key pair is a Rivest claim 1 , ...

Подробнее
Номер записи: 76
01-09-2022 дата публикации

Device ID for Memory Protection

Номер: US20220278836A1
Автор: Chhabra Siddhartha, Dewan Prashant
Принадлежит: Intel Corporation

There is disclosed in one example a computing system, including: a processor; a memory; and a memory encryption engine (MEE) including circuitry and logic to: allocate a protected isolated memory region (IMR); encrypt the protected IMR; set an access control policy to allow access to the IMR by a device identified by a device identifier; and upon receiving a memory access request directed to the IMR, enforce the access control policy. 120-. (canceled)21. A method of providing access control to a protected region of a computer memory , comprising:receiving, on a communication pathway between a processor and the computer memory, an incoming memory access request, the incoming memory access request comprising a source identifier (source ID) that identifies a device that originated the incoming memory access request;determining that the incoming memory access request is addressed to a memory address in a memory region for which the source ID is authorized to access; andbased at least in part on the determining, decrypting data from the memory address and providing the decrypted data to the device that originated the incoming memory access request.22. The method of claim 21 , wherein the memory region is an isolated memory region (IMR).23. The method of claim 21 , further comprising denying access to any device not identified by the source ID.24. The method of claim 21 , further comprising determining that the source ID belongs to a class of source IDs authorized to access the memory region.25. The method of claim 21 , further comprising providing partial-scope memory encryption.26. The method of claim 21 , further comprising providing multi-key total memory encryption.27. The method of claim 21 , further comprising providing one or more access policy registers claim 21 , and setting an access control policy for a memory encryption engine (MEE) on the communication pathway according to the one or more access policy registers.28. The method of claim 21 , further ...

Подробнее
Номер записи: 77
14-08-2014 дата публикации

TURING TEST BASED USER AUTHENTICATION AND USER PRESENCE VERIFICATION SYSTEM, DEVICE, AND METHOD

Номер: US20140230046A1
Автор: Dewan Prashant, Durham David M., Grewal Karanvir S., Huang Ling, Kang Xiaozhu
Принадлежит: Intel Corporation

A password-less method for authenticating a user includes capturing one or more images of a face of the user and comparing the one or more images with a previously collected face template. Randomly selected colored light and randomized blinking patterns are used to capture the images of the user. Such captured images are compared to previously collected face templates, thereby thwarting spoof attacks. A secret image, known only to the user and the device, is moved from one area of the display to another randomly selected area, using the movements of the user's head or face, thereby providing a Turing based challenge. Protected audio video path (PAVP) enabled devices and components are used to protect the challenge from malware attacks. 1. A password-less method for authenticating a user , comprising:capturing one or more first images of a face of the user;comparing the one or more first images with a previously collected face template;capturing one or more second images of the face of the user; andpresenting a password-less challenge to the user on a display based on the one or more second images.2. The method of claim 1 , further comprising:randomly selecting a colored light from a plurality of colored light options;flashing at least one of the display and a flash with the randomly selected colored light; andcapturing one or more third images of the face of the user while flashing with the randomly selected colored light.3. The method of claim 2 , wherein flashing further comprises:determining a randomized blinking pattern;flashing the display or the flash in accordance with the randomized blinking pattern.4. The method of claim 3 , wherein capturing one or more third images further comprises:capturing reflections from three dimensional contours of the face of the user while flashing in the randomized blinking pattern and with the randomly selected colored light; anddiscerning flat surfaces from the three dimensional contours of the face.5. The method of claim 4 , ...

Подробнее
Номер записи: 78
07-06-2018 дата публикации

COMPUTING PLATFORM SECURITY METHODS AND APPARATUS

Номер: US20180157832A1
Автор: Cablao Debra, Dewan Prashant, Dunbar Adrian M.M.T., Durham David Michael, Hughes Michael S., Saxena Paritosh, Surprise Jason M., Teddy John, Triantafillou Nicholas D., Vembu Balaji
Принадлежит:

Computing platform security methods and apparatus are disclosed. An example apparatus includes a security application to configure a security task, the security task to detect a malicious element on a computing platform, the computing platform including a central processing unit and a graphics processing unit; and an offloader to determine whether the central processing unit or the graphics processing unit is to execute the security task; and when the graphics processing unit is to execute the security task, offload the security task to the graphics processing unit for execution. 1142.-. (canceled)143. An apparatus comprising:a notifier to provide status information associated with a malware detection scan to a requester of the malware detection scan, the status information including an indication of a process that preempted the malware detection scan;a scan target selector to evaluate the process to identify memory corresponding to the process; anda trigger event analyzer to initiate a security action based on (a) the indication of the process that preempted the malware detection scan and (b) the identified memory.144. The apparatus of claim 143 , wherein the notifier is to provide the status at a privilege level associated with trusted components.145. The apparatus of claim 143 , further including a scheduler to obtain at least one of the status information and a change in the status information.146. The apparatus of claim 143 , wherein the requester is a security application associated with the malware detection scan.147. The apparatus of claim 143 , wherein the security action includes at least one of a memory scan of at least the memory corresponding to the process that preempted the malware detection scan or a restriction of the process that preempted the malware detection scan.148. A tangible machine readable storage medium comprising instructions that claim 143 , when executed claim 143 , cause a machine to claim 143 , at least:communicate status information ...

Подробнее
Номер записи: 79
16-06-2016 дата публикации

VIRTUAL MEMORY ADDRESS RANGE REGISTER

Номер: US20160170900A1
Автор: Anati Ittai, Dewan Prashant, Gerzon Gideon, Goldsmith Michael, HILDESHEIM Gur, McKeen Francis, Raikin Shlomo, Rozas Carlos, Savagaonkar Uday
Принадлежит: Intel Corporation

Embodiments of apparatuses and methods including virtual address memory range registers are disclosed. In one embodiment, a processor includes a memory interface, address translation hardware, and virtual memory address comparison hardware. The memory interface is to access a system memory using a physical memory address. The address translation hardware is to support translation of a virtual memory address to the physical memory address. The virtual memory address is used by software to access a virtual memory location in the virtual memory address space of the processor. The virtual memory address comparison hardware is to determine whether the virtual memory address is within a virtual memory address range. 1. A processor comprising:a memory interface to access a system memory using a physical memory address;address translation hardware to support translation of a virtualmemory address to the physical memory address, the virtual memory address used by software to access a virtual memory location in a virtual memory address space of the processor; andvirtual memory address comparison hardware to determine whether the virtual memory address is within a virtual memory address range.2. The processor of claim 1 , further comprising a virtual memory address range register to store a virtual memory base address of the virtual memory address range.3. The processor of claim 2 , further comprising a physical memory address range register to store a physical memory base address of a physical memory address range.4. The processor of claim 3 , further comprising physical memory address comparison hardware to determine whether the physical memory address is within the physical memory address range.5. The processor of claim 4 , further comprising a mask register to store a mask value.6. The processor of claim 5 , further comprising a first AND circuit to generate a current virtual memory address range value based on the virtual memory address and the mask value.7. The processor ...

Подробнее
Номер записи: 80
25-06-2015 дата публикации

TECHNIQUES FOR ENFORCING A DEPTH ORDER POLICY FOR GRAPHICS IN A DISPLAY SCENE

Номер: US20150180657A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David, Kang Xiaozhu, Savagaonkar Uday R., Sengupta Uttam
Принадлежит:

Various embodiments are generally directed an apparatus and method for processing an encrypted graphic with a decryption key associated with a depth order policy including a depth position of a display scene, generating a graphic from the encrypted graphic when the encrypted graphic is successfully decrypted using the decryption key and assigning the graphic to a plane at the depth position of the display scene when the encrypted graphic is successfully decrypted. 1. An apparatus , comprising:processing circuitry;a policy enforcement module for execution on the processing circuitry to process an encrypted graphic with a decryption key associated with a depth order policy, the depth order policy to define a depth position of a display scene, and to generate a graphic from the encrypted graphic when the encrypted graphic is successfully decrypted using the decryption key; anda display blender module for execution on the processing circuitry to assign the graphic to a plane at the depth position of the display scene when the encrypted graphic is successfully decrypted.2. The apparatus of claim 1 , the display blender module to determine the plane at the depth position for the graphic based on the depth order policy.3. The apparatus of claim 1 , comprising:a display control module for execution on the processing circuitry to encrypt a graphic received from an application with the encryption key for securely communicating.4. The apparatus of claim 1 , the policy enforcement module to discard the encrypted graphic when the encrypted graphic is not successfully decrypted using the decryption key associated with the depth order policy.5. The apparatus of claim 1 , the display blender module to determine when the graphic is assigned a same depth position as a second graphic in the plane of the display scene and to determine when overlapping occurs between the graphic and the second graphic.6. The apparatus of claim 5 , the display blender module to discard the graphic or the ...

Подробнее
Номер записи: 81
23-06-2016 дата публикации

PARTITIONING ACCESS TO SYSTEM RESOURCES

Номер: US20160182238A1
Автор: Dewan Prashant, Dwarakanath Kumar N., JR. William A., Schoinas Ioannis T., Smith Ned M., Sood Kapil, Stevens
Принадлежит:

In one embodiment, a processor has at least one core to execute instructions, a security engine coupled to the at least one core, a first storage to store a first immutable key associated with a vendor of the processor, and a second storage to store a second immutable key associated with an original equipment manufacturer (OEM) of the system. A first portion of firmware is to be verified based at least in part on the first immutable key and a second portion of firmware is to be verified based at least in part on the second immutable key, the first portion of firmware associated with the vendor and the second portion of firmware associated with the OEM. Other embodiments are described and claimed. 1. An apparatus comprising:at least one core to execute instructions;a security engine coupled to the at least one core;a read only memory (ROM) to store a first key associated with a vendor of the apparatus; anda fuse storage to store a second key associated with an original equipment manufacturer (OEM) to include the apparatus in a platform, wherein a first portion of firmware of the platform is to be verified based at least in part on the first key and a second portion of firmware of the platform is to be verified based at least in part on the second key, the first portion of firmware associated with the vendor and the second portion of firmware associated with the OEM.2. The apparatus of claim 1 , wherein the security engine is to verify and execute the first portion of firmware and the at least one core is to execute the second portion of firmware.3. The apparatus of claim 1 , wherein the fuse storage is to be written with the second key during manufacture of the apparatus by the vendor of the apparatus claim 1 , the apparatus comprising an SoC.4. The apparatus of claim 1 , wherein the first key comprises a hash of a public key of the vendor.5. The apparatus of claim 1 , wherein the security engine and the first portion of firmware are to be inaccessible to the OEM or ...

Подробнее
Номер записи: 82
18-09-2014 дата публикации

Secure Rendering of Display Surfaces

Номер: US20140267332A1
Автор: David M. Durham, Michael A. Goldsmith, Prashant Dewan, Siddhartha Chhabra, Uday R. Savagaonkar
Принадлежит: Intel Corp

A protected graphics module can send its output to a display engine securely. Secure communications with the display can provide a level of confidentiality of content generated by protected graphics modules against software and hardware attacks.

Подробнее
Номер записи: 83
28-05-2020 дата публикации

System, Apparatus and Method for Secure Monotonic Counter Operations in a Processor

Номер: US20200167294A1
Автор: Alpa T. Narendra Trivedi, David M. Durham, Karanvir S. Grewal, Prashant Dewan, Siddhartha Chhabra
Принадлежит: Intel Corp

In one embodiment, an apparatus includes: at least one core to execute instructions, the at least one core formed on a semiconductor die; a first memory formed on the semiconductor die, the first memory comprising a non-volatile random access memory, the first memory to store a first entry to be a monotonic counter, the first entry including a value field and a status field; and a control circuit, wherein the control circuit is to enable access to the first entry if the apparatus is in a secure mode and otherwise prevent the access to the first entry. Other embodiments are described and claimed.

Подробнее
Номер записи: 84
28-05-2020 дата публикации

COMPUTING PLATFORM SECURITY METHODS AND APPARATUS

Номер: US20200167467A1
Автор: Cablao Debra, Dewan Prashant, Dunbar Adrian M.M.T., Durham David Michael, Hughes Michael S., Saxena Paritosh, Surprise Jason M., Teddy John, Triantafillou Nicholas D., Vembu Balaji
Принадлежит:

Computing platform security methods and apparatus are disclosed. An example apparatus includes a graphics processor; and a graphics driver to facilitate access to the graphics processor, the graphics driver including: an authenticator to establish a trusted channel between the graphics driver and an application driver via mutual authentication of the graphics driver and the application driver; an offloader to offload a computing task to the graphics processor via the trusted channel, the computing task associated with the application driver; and a hypervisor to monitor memory associated with the offloaded computing task for an unauthorized access attempt. 1. An apparatus comprising:a graphics processor; and an authenticator to establish a trusted channel between the graphics driver and an application driver via mutual authentication of the graphics driver and the application driver;', 'an offloader to offload a computing task to the graphics processor via the trusted channel, the computing task associated with the application driver; and', 'a hypervisor to monitor memory associated with the offloaded computing task for an unauthorized access attempt., 'a graphics driver to facilitate access to the graphics processor, the graphics driver including2. The apparatus of claim 1 , wherein the hypervisor has a privilege level sufficient to monitor the memory.3. The apparatus of claim 1 , wherein the hypervisor is to operate outside an operating system.4. The apparatus of claim 1 , wherein the hypervisor is implemented via a Trusted Memory Services Layer.5. The apparatus of claim 1 , wherein the memory is first memory claim 1 , the first memory isolated from second memory associated with an image rendering task to be executed by the graphics processor.6. The apparatus of claim 1 , wherein the application driver corresponds to a security application and the computing task includes a memory scanning operation to detect a pattern associated with malware.7. The apparatus of ...

Подробнее
Номер записи: 85
29-06-2017 дата публикации

FAST SWITCHING BETWEEN VIRTUAL MACHINES WITHOUT INTERRUPT VIRTUALIZATION FOR HIGH-PERFORMANCE, SECURE TRUSTED-EXECUTION ENVIORNMENT

Номер: US20170185435A1
Автор: Dewan Prashant, Shanbhogue Vedvyas
Принадлежит:

Various embodiments are generally directed to an apparatus, method, and other techniques to handle interrupts directed to secure virtual machines. Work is added to a work queue in a shared memory buffer in accordance with a received request, and a task-priority register is updated to block interrupts not directed toward the secure virtual machine. A timer that expires after a number of cycles of the computer processor have elapsed is started. The secure virtual machine is launched on the computer processor, and a work queue in a shared memory buffer is polled for work to be executed by the secure virtual machine until the work queue is empty or until the timer expires. 1. An apparatus for secure virtual-machine interrupt handling comprising:a computer processor;a computer memory in electrical communication with the computer processor and comprising a shared memory, the shared memory comprising a work queue configured to add work in accordance with a received work request for a secure virtual machine configured to execute on the computer processor;a timer configured to start when a work request is received and to expire after a number of cycles of the computer processor have elapsed thereafter;a task-priority register configured to filter interrupts directed toward the computer processor and to update, when a work request is received, to block interrupts not directed toward the secure virtual machine; anda secure virtual-machine interrupt manager component configured to launch the secure virtual machine on the computer processor and to poll the work queue in the shared memory buffer for work to be executed by the secure virtual machine until the work queue becomes empty or until the timer expires.2. The apparatus of claim 1 , the task-priority register being further configured to save its current state before updating.3. The apparatus of claim 2 , the task-priority register being further configured to restore its current state when the work queue becomes empty or ...

Подробнее
Номер записи: 86
29-06-2017 дата публикации

System and method for enabling secure memory transactions using enclaves

Номер: US20170185766A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David, GREWAL Karanvir, NARENDRA TRIVEDI Alpa, Sahita Ravi
Принадлежит:

Various embodiments are generally directed to an apparatus, method, and other techniques to provide direct-memory access, memory-mapped input-output, and/or other memory transactions between devices designated for use by an enclave and the enclave itself. A secure device address map may be configured to map addresses for the enslave device and the enclave, and a register filter component may grant access to the enclave device to the enclave. 1. An apparatus for secure enclave device memory access comprising:a computer processor;an enclave disposed in a computer memory to execute trusted computer instructions using the computer processor and comprising an enclave device virtual address region;an input/output memory management unit to map a memory address from a physical address to an enclave device virtual address in the enclave device virtual address region;a register filter component to grant an enclave device access to the enclave device virtual address region;a trusted firmware component to identify a device enclave mode bit assigned to the enclave device and transmitted with a memory transaction associated with the enclave device and to configure the input/output memory management unit with a secure device address map associated with the device enclave mode bit.2. The apparatus of claim 1 , the register filter component comprising a base register and a device mask register.3. The apparatus of claim 2 , the base register further configured for storing a base memory address of the enclave and the device mask register is configured for storing a size of the enclave device virtual address region.4. The apparatus of claim 1 , the enclave further comprising an enclave non-device virtual address region in communication with the enclave device virtual address region.5. The apparatus of claim 1 , the secure device address map being stored in an enclave control structure associated with the enclave.6. The apparatus of claim 1 , the memory transaction comprising a direct- ...

Подробнее
Номер записи: 87
05-07-2018 дата публикации

VERIFYING WET INK SIGNATURES VIA DIGITAL PEN TECHNOLOGY

Номер: US20180189472A1
Автор: Dewan Prashant, Kacelenga Ray, Sengupta Uttam K.
Принадлежит:

Systems, apparatuses and methods may provide for technology that includes a writing implement with an ink subsystem to print a message, a sensor subsystem to digitize the message and an authorization subsystem coupled to the sensor subsystem, wherein the authorization subsystem generates a notification of whether the digitized message is authentic. In one example, a remote server obtains the digitized message originating from a writing implement, wherein the digitized message includes an image of a handwritten signature and additional sensor information. In such a case, the server may conduct an authentication of the additional sensor information with respect to known sensor information associated with an authenticated user and send an authentication response to the writing implement based on the authentication. 1. A writing implement comprising:an ink subsystem to print a message;a sensor subsystem to digitize the message; andan authorization subsystem coupled to the sensor subsystem, the authorization subsystem to generate a notification of whether the digitized message is authentic.2. The writing implement of claim 1 , wherein the sensor subsystem includes:a fingerprint sensor to capture a fingerprint;a pressure sensor to generate hand pressure measurement information;a motion sensor to generate motion measurement information;a camera to capture an image of the message on paper; anda light source to illuminate the message on paper during the capture of the image, wherein the digitized message is to include one or more of the fingerprint, the hand pressure measurement information, the motion measurement information or the image.3. The writing implement of claim 2 , wherein the authorization subsystem is to disable the ink subsystem prior to printing the message if authentication of the fingerprint is unsuccessful and enable the ink subsystem prior to printing the message if authentication of the fingerprint is successful.4. The writing implement of claim 1 , ...

Подробнее
Номер записи: 88
18-09-2014 дата публикации

DIFFERENTIATED CONTAINERIZATION AND EXECUTION OF WEB CONTENT BASED ON TRUST LEVEL AND OTHER ATTRIBUTES

Номер: US20140282890A1
Автор: Dewan Prashant, Li Hong C., Vicente John B.
Принадлежит:

Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container. 1. An apparatus to differentiate web content , comprising:a browser interface to receive web content;a container designation module to determine a trust level associated with the web content; andan environment module to map the web content to an execution environment based at least in part on the trust level.2. The apparatus of claim 1 , further including a plurality of trust level specific data containers claim 1 , wherein the container designation module is to store the web content to one or more of the plurality of trust level specific data containers.3. The apparatus of claim 1 , wherein the web content is to be mapped to the execution environment further based on a context attribute including one or more of a stack composition associated with the web content claim 1 , a latency of one or more web transactions associated with the web content claim 1 , an objective of the web content and a service type associated with the web content.4. The apparatus of claim 1 , further including a content offload module to send at least a portion of the web content to an offload container associated with one or more of a provider of the web content claim 1 , an emulation module of a local computing device claim 1 , an enterprise data center claim 1 , a private cloud and a third party service provider to map the web content to the execution environment claim 1 , and to receive a result associated with the offload container.5. The apparatus of claim 4 , wherein at least a portion of the web container is to be sent to the offload container if the trust level is below a threshold and a latency tolerance condition is satisfied.6. The apparatus of claim 1 , further ...

Подробнее
Номер записи: 89
09-08-2018 дата публикации

DIFFERENTIATED CONTAINERIZATION AND EXECUTION OF WEB CONTENT BASED ON TRUST LEVEL AND OTHER ATTRIBUTES

Номер: US20180227309A1
Автор: Dewan Prashant, Li Hong C., Vicente John B.
Принадлежит:

Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container. 1. (canceled)2. A computing system comprising:network circuitry;a storage device including instructions; and store data of a first type in a first container;', 'store data of a second type in a second container, the second type different from the first type;', 'determine whether to provide content to a remote execution environment separate from the local execution environment based on whether the content is unverified; and', 'provide the content to the remote execution environment when the content is determined to be unverified., 'processor circuitry associated with a local execution environment, the processor circuitry to execute the instructions to3. The computing system of claim 2 , wherein the processor circuitry is to determine whether the content is unverified based on a blacklist.4. The computing system of claim 2 , wherein the processor circuitry is to determine whether the content is unverified based on a whitelist.5. The computing system of claim 2 , wherein the content includes hypertext markup language (HTML) content.6. The computing system of claim 5 , wherein the network circuitry is to receive the HTML content.7. The computing system of claim 2 , wherein the processor circuitry is further to receive a result associated with the content from the remote execution environment.8. At least one non-transitory computer readable medium comprising instructions that claim 2 , when executed claim 2 , cause at least one processor associated with a local execution environment to at least:store data of a first type in a first container;store data of a second type in a second container, the second type different from the first type;determine whether to ...

Подробнее
Номер записи: 90
19-08-2021 дата публикации

DIFFERENTIATED CONTAINERIZATION AND EXECUTION OF WEB CONTENT BASED ON TRUST LEVEL AND OTHER ATTRIBUTES

Номер: US20210258313A1
Автор: Dewan Prashant, Li Hong C., Vicente John B.
Принадлежит:

Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container. 1a browser interface to receive web content;a container designation module to determine a trust level associated with the web content; andan environment module to map the web content, to an execution environment based at least in part on the trust level.. An apparatus to differentiate web content, comprising: This patent arises from a continuation of U.S. patent Application Ser. No. 16/551,221, which is entitled “DIFFERENTIATED CONTAINERIZATION AND EXECUTION OF WEB CONTENT BASED ON TRUST LEVEL AND OTHER ATTRIBUTES,” and which was filed on Aug. 26, 2019, which is a continuation of U.S. patent application Ser. No. 15/979,119, which is entitled “DIFFERENTIATED CONTAINERIZATION AND EXECUTION OF WEB CONTENT BASED ON TRUST LEVEL AND OTHER ATTRIBUTES,” and which was filed on May 14, 2018, which is a continuation of U.S. patent application Ser. No. 15/722,336, which is entitled “DIFFERENTIATED CONTAINERIZATION AND EXECUTION OF WEB CONTENT BASED ON TRUST LEVEL AND OTHER ATTRIBUTES,” and which was filed on Oct. 2, 2017, which is a continuation of U.S. patent application Ser. No. 13/830,634, which is entitled “DIFFERENTIATED CONTAINERIZATION AND EXECUTION OF WEB CONTENT BASED ON TRUST LEVEL AND OTHER ATTRIBUTES,” and which was filed on Mar. 14, 2013. U.S. patent application Ser. No. 13/830,634, U.S. patent application Ser. No. 15/722,336, U.S. patent application Ser. No. 15/979,119, and U.S. patent application Ser. No. 16/551,221 are hereby incorporated herein by reference in their respective entireties.Embodiments generally relate to access controls for web-based applications. More particularly, embodiments relate to differentiated containerization and execution ...

Подробнее
Номер записи: 91
16-07-2020 дата публикации

PLATFORM MEASUREMENT COLLECTION MECHANISM

Номер: US20200226047A1
Автор: Dewan Prashant, Katragada Aditya, Sengupta Uttam
Принадлежит: Intel Corporation

An apparatus to collect firmware measurement data at a computing system is disclosed. The apparatus includes a plurality of agents, each including a non-volatile memory storing firmware executed to perform a function associated with the agent, verification logic to generate measurement data by verifying the integrity of the firmware and a register to store the measurement data, and a processor to execute an instruction to collect firmware measurement data from each of the plurality of agents. 1. An apparatus to collect firmware measurement data at a computing system , comprising: a non-volatile memory storing firmware executed to perform a function associated with the agent;', 'one or more processors to execute verification logic to generate measurement data by verifying the integrity of the firmware; and', 'a register to store the measurement data; and, 'a plurality of interconnect protocol (IP) agents, each includinga central processing unit (CPU) to execute an instruction to collect firmware measurement data from each of the plurality of IP agents.2. The apparatus of claim 1 , wherein the CPU collecting the firmware measurement data comprises collecting first measurement data from a first set of one or more registers in a first IP agent and collecting second measurement data from a second set of one or more registers in a second IP agent.3. The apparatus of claim 2 , wherein the CPU receives a manifest data structure from a software application.4. The apparatus of claim 3 , wherein the CPU inserts the first and second measurement data in the manifest data structure.5. The apparatus of claim 4 , wherein the CPU signs the manifest data structure with one or more cryptographic keys.6. The apparatus of claim 5 , wherein the CPU transmits the manifest data to a cloud agent external to the computing system.7. The apparatus of claim 6 , wherein the IP agent uses the manifest to receive firmware from one or more of the plurality of IP agents.8. The apparatus of claim 7 , ...

Подробнее
Номер записи: 92
16-07-2020 дата публикации

FIRMWARE VERIFICATION MECHANISM

Номер: US20200226261A1
Автор: AGGARWAL NIVEDITA, Chen Kenji, Dewan Prashant, Haniffa Mohamed, Katragada Aditya, Zhang Chao
Принадлежит: Intel Corporation

An apparatus to verify firmware in a computing system, comprising a non-volatile memory, including firmware memory to store agent firmware associated with each of a plurality of interconnect protocol (IP) agents and version memory to store security version numbers (SVNs) included in the agent firmware, a security controller comprising verifier logic to verify an integrity of the version memory by applying a hash algorithm to contents of the version memory to generate a SVN hash, and a trusted platform module (TPM) to store the SVN hash. 1. An apparatus to verify firmware in a computing system , comprising: firmware memory to store agent firmware associated with each of a plurality of interconnect protocol (IP) agents; and', 'version memory to store security version numbers (SVNs) included in the agent firmware;, 'a non-volatile memory, includinga security controller comprising verifier logic to verify an integrity of the version memory by applying a hash algorithm to contents of the version memory to generate a SVN hash; anda trusted platform module (TPM) to store the SVN hash.2. The apparatus of claim 1 , wherein the verifier logic verifies an integrity of the version memory upon receiving agent firmware by applying the hash algorithm to contents of the version memory to generate a check hash and comparing the check hash to the SVN hash stored in the TPM.3. The apparatus of claim 2 , wherein the verifier logic verifies an integrity of the agent firmware upon determining that the check hash matches the SVN hash.4. The apparatus of claim 3 , wherein the verifier logic verifies the integrity of the agent firmware by determining whether a SVN included in the received agent firmware is greater than a SVN associated with the agent firmware stored in the version memory.5. The apparatus of claim 4 , wherein the received agent firmware is stored in the firmware memory upon a determination that the SVN included in the received agent firmware is greater than a SVN associated ...

Подробнее
Номер записи: 93
16-07-2020 дата публикации

PLATFORM SECURITY MECHANISM

Номер: US20200226263A1
Автор: Dewan Prashant, Patel Baiju
Принадлежит: Intel Corporation

An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys. 1. An apparatus to facilitate security within a computing system , comprising: a storage drive;', 'a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys; and', 'an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys., 'a non-volatile memory, including2. The apparatus of claim 1 , wherein the one or more cryptographic keys are programmed into the controller during manufacture of the non-volatile memory.3. The apparatus of claim 2 , further comprising a security controller to generate the cryptographic keys.4. The apparatus of claim 3 , wherein the security controller receives the cryptographic keys from a physically unclonable function (PUF) engine.5. The apparatus of claim 3 , wherein the security controller receives the cryptographic keys from a fuse controller.6. The apparatus of claim 1 , wherein the non-volatile memory further comprises Basic Input/Output System (BIOS) firmware to provision an operating system image into the non-volatile memory during a booting process.7. The apparatus of claim 1 , wherein the BIOS firmware reads a security header included in the operating system image.8. The apparatus of claim 7 , wherein the security header provides an indication of storage blocks in the storage drive storing the operating system image as plain text.9. The apparatus of claim 8 ...

Подробнее
Номер записи: 94
16-07-2020 дата публикации

DIFFERENTIATED CONTAINERIZATION AND EXECUTION OF WEB CONTENT BASED ON TRUST LEVEL AND OTHER ATTRIBUTES

Номер: US20200228531A1
Автор: Dewan Prashant, Li Hong C., Vicente John B.
Принадлежит:

Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container. 1. (canceled)2. A networked processor platform comprising:memory including computer readable instructions; and determine, based on a latency condition, whether to offload program code to a cloud platform, the cloud platform to communicate with the networked processor platform via a network;', 'in response to a determination to offload the program code to the cloud platform, (i) provide the program code to a first container associated with the cloud platform, and (ii) access, from the first container, a result of execution of the program code by the cloud platform; and', 'in response to a determination not to offload the program code to the cloud platform, (i) provide the program code to a second container associated with the networked processor platform, and (ii) allocate one or more resources of the networked processor platform to execute the program code., 'processor circuitry to execute the instructions to at least3. The networked processor platform of claim 2 , wherein the latency condition is associated with an amount of time to process the program code using the cloud platform claim 2 , and the processor circuitry is to make the determination to offload the program code to the cloud platform in response to satisfaction of the latency condition.4. The networked processor platform of claim 3 , wherein the processor circuitry is to determine whether the latency condition is satisfied based on at least one of a quality of service associated with the program code or a service level agreement associated with the program code.5. The networked processor platform of claim 3 , wherein the processor circuitry is to determine the latency condition is ...

Подробнее
Номер записи: 95
13-11-2014 дата публикации

Entry/Exit Architecture for Protected Device Modules

Номер: US20140337983A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David M., Kang Xiaozhu, Narendra Trivedi Alpa T., Savagaonkar Uday R.
Принадлежит:

The entry/exit architecture may be a critical component of a protection framework using a secure enclaves-like trust framework for coprocessors. The entry/exit architecture describes steps that may be used to switch securely into a trusted execution environment (entry architecture) and out of the trusted execution environment (exit architecture), at the same time preventing any secure information from leaking to an untrusted environment. 1. A method comprising:executing a command that takes a pointer to a device thread control structure belonging to an enclave-device-module;entering the enclave-device-module; andfetching commands from a buffer inside the enclave-device-module.2. The method of including marking the structure as busy when the enclave-device-module is entered.3. The method of including making a synchronous entry to an enclave-device-module.4. The method of including making an asynchronous entry to an enclave-device-module.5. The method of including making a synchronous entry on the first entry to an enclave-device-module and using an asynchronous entry thereafter.6. The method of including using a flag to indicate whether to enter synchronously or asynchronously.7. The method of including exiting from an enclave-device-module using a command executed inside the buffer.8. The method of including using unprivileged entry commands.9. The method of including using a memory write to a memory management input output device register in order to enter an enclave-device-module.10. The method of including executing a command in a processor graphics to enter an enclave-device-module.11. One or more computer readable media storing instructions to perform a sequence comprising:executing a command that points to a device thread control structure of an enclave-device-module;entering the enclave-device-module; andfetching commands from inside the enclave-device-module.12. The media of including marking the structure as busy when the enclave-device-module is entered.13 ...

Подробнее
Номер записи: 96
30-09-2021 дата публикации

IP INDEPENDENT SECURE FIRMWARE LOAD

Номер: US20210303691A1
Автор: AGGARWAL NIVEDITA, Dewan Prashant, Godavarthi Vinupama, Haniffa Mohamed, Katragada Aditya, Kotary Karunakara, LOO Tung Lun
Принадлежит: Intel Corporation

An apparatus to implement an IP independent firmware load is disclosed. The apparatus includes a plurality of agents, a plurality of agents, at least one agent including a memory to store firmware to be executed by the agent to perform a function associated with the agent and a register to store enumeration data for the firmware load mechanism of the IP, and a processor to initiate an enumeration process to read the enumeration data from the register of the at least one agent, make a decision based on that data to retrieve a firmware module from a storage device, verify the firmware module, and load the firmware module into the memory of the at least one agent. 1. An apparatus comprising: a memory to store firmware to be executed by the agent to perform a function associated with the agent; and', 'a register to store enumeration data for the firmware; and, 'a plurality of agents, at least one agent including initiate an enumeration process to read the enumeration data from the register of the at least one agent;', 'retrieve a firmware module from a storage device;', 'verify the firmware module; and', 'load the firmware module into the memory of the at least one agent., 'a processor to2. The apparatus of claim 1 , wherein the processor is to:transmit a message to the at least one agent to update a load status of the firmware module.3. The apparatus of claim 1 , wherein the firmware module is loaded using at least one of a push technique or a pull technique.4. The apparatus of claim 3 , wherein the at least one agent is to:collect enumerable data from each of the plurality of agents; anddiscover one or more capabilities of the agent using the enumerable data.5. The apparatus of claim 4 , wherein the at least one agent is to transmit a message to trigger the at least one agent to execute the firmware module.6. The apparatus of claim 5 , wherein the at least one agent is to transmit a message to trigger the at least one agent to copy the firmware module from an external ...

Подробнее
Номер записи: 97
14-10-2021 дата публикации

CRYPTOGRAPHIC PROTECTION OF MEMORY ATTACHED OVER INTERCONNECTS

Номер: US20210318966A1
Автор: Chhabra Siddhartha, Dewan Prashant
Принадлежит: Intel Corporation

Methods and apparatus relating to cryptographic protection of memory attached over interconnects are described. In an embodiment, memory stores data and a processor having execution circuitry executes an instruction to program an inline memory expansion logic and a host memory encryption logic with one or more cryptographic keys. The inline memory expansion logic encrypts the data to be written to the memory and decrypts encrypted data to be read from the memory. The memory is coupled to the processor via an interconnect endpoint of a system fabric. Other embodiments are also disclosed and claimed. 1. An apparatus comprising:memory to store data; anda processor having execution circuitry to execute an instruction to program an inline memory expansion logic and a host memory encryption logic with one or more cryptographic keys,wherein the inline memory expansion logic is to encrypt the data to be written to the memory and to decrypt encrypted data to be read from the memory, wherein the memory is coupled to the processor via an interconnect endpoint of a system fabric.2. The apparatus of claim 1 , wherein the interconnect endpoint is to operate in accordance with Compute Express Link™ (CXL™) protocol.3. The apparatus of claim 1 , wherein the memory comprises a one level memory or a two level memory.4. The apparatus of claim 1 , wherein the memory is to be accessed in block mode or direct access mode.5. The apparatus of claim 1 , wherein the host memory encryption logic is to encrypt data to be written to dynamic random access memory and to decrypt encrypted data to be read from the dynamic random access memory claim 1 , wherein the processor is coupled to the dynamic random access memory via a memory fabric endpoint of a system fabric.6. The apparatus of claim 5 , wherein the memory and the dynamic random access memory are to be accessible as a single system main memory.7. The apparatus of claim 5 , wherein the memory is a far memory in a two level memory system and ...

Подробнее
Номер записи: 98
14-10-2021 дата публикации

CONCURRENT VOLUME AND FILE BASED INLINE ENCRYPTION ON COMMODITY OPERATING SYSTEMS

Номер: US20210319121A1
Автор: Boyd James, Chhabra Siddhartha, Dewan Prashant, Khosravi Hormuzd
Принадлежит: Intel Corporation

The disclosure generally relates to method, system and apparatus for concurrent volume and file based inline encryption on commodity operating systems (OS). More particularly, some embodiments of the disclosure relate to a Converged Cryptographic Engine (CCE) for storage encryption. An exemplary method for implementing non-disruptive inline encryption of a read/write transaction on a non-volatile memory (NVM) circuitry includes the steps of: generating one or more encryption keys for the read/write transaction on a storage volume of the NVM circuitry at a Setup logic; identifying a plurality of Logical Block Addresses (LBAs) corresponding to the storage volume for the read/write transaction at an NTFS logic; and, at a Storage encryption system logic: (1) receiving the plurality of LBAs and their corresponding storage volume from the NTFS, (2) identifying the storage volume on the NVM storage circuitry for the read/write transaction, (3) identifying the one or more encryption keys for the identified storage volume, (4) assigning a keyId to the identified encryption key, and (5) programming the KeyId on to the NVM circuitry. 1. An apparatus comprising: a Setup logic to generate one or more encryption keys for the read/write transaction on a storage volume of the non-volatile memory (NVM) circuitry;', 'an File System (FS) logic to identify a plurality of Logical Block Addresses (LBAs) corresponding to the storage volume for the read/write transaction; and', receive the plurality of LBAs and their corresponding storage volume from the FS,', 'identify the storage volume on the NVM storage circuitry for the read/write transaction,', 'identify the one or more encryption keys for the identified storage volume,', 'assign a keyId to the identified encryption key, and', 'program the KeyId on to the NVM circuitry;, 'a Storage encryption system logic configured to], 'a processor circuitry and a memory circuitry in communication with the processor circuitry, the memory circuitry ...

Подробнее
Номер записи: 99
14-09-2017 дата публикации

MALWARE-PROOF PRIVACY INDICATOR

Номер: US20170263254A1
Автор: BHRUGUMALLA SATISH KUMAR L., Dewan Prashant, Joshi Mandar S., Sengupta Uttam K.
Принадлежит: lntel IP Corporation

A voice command device (VCD) has privacy protection. The VCD comprises a processor, first and second input devices, at least one data line to couple the first and second input devices to the processor, a power supply, and a sensor power line to couple the first and second input devices to the power supply. The VCD also comprises a manually operated mechanical switch on the sensor power line, to divide the sensor power line into a first leg comprising the power supply and a second leg comprising the input devices. The VCD also comprises an active sensor indicator light on the second leg of the sensor power line. The indicator light is configured to indicate whether the input devices are operational, based on a power level of the second leg of the sensor power line. Other embodiments are described and claimed. 1. A voice command device with privacy protection , the voice command device comprising:a processor;first and second input devices;at least one data line to couple the first and second input devices to the processor;a power supply;a sensor power line to couple the first and second input devices to the power supply;a manually operated mechanical switch on the sensor power line to divide the sensor power line into a first leg comprising the power supply and a second leg comprising the first and second input devices; andan active sensor indicator light on the second leg of the sensor power line with the first and second input devices, wherein the active sensor indicator light is configured to indicate whether any of the first and second input devices are operational, based on a power level of the second leg of the sensor power line.2. A voice command device according to claim 1 , wherein:the mechanical switch can be manually switched between a closed position and an open position;the closed position (a) allows power to reach the first and second input devices and (b) causes the active sensor indicator light to emit light; andthe open position (c) prevents power ...

Подробнее
Номер записи: 100
13-09-2018 дата публикации

Differentiated containerization and execution of web content based on trust level and other attributes

Номер: US20180262509A1
Автор: Hong C. Li, John B. Vicente, Prashant Dewan
Принадлежит: Intel Corp

Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Подробнее
Номер записи: 101
01-10-2015 дата публикации

VIRTUALIZATION BASED INTRA-BLOCK WORKLOAD ISOLATION

Номер: US20150278512A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David M., Kang Xiaozhu, Narendra Trivedi Alpa T., Savagaonkar Uday R., Sengupta Uttam K.
Принадлежит: Intel Corporation

Generally, this disclosure provides systems, devices, methods and computer readable media for virtualization-based intra-block workload isolation. The system may include a virtual machine manager (VMM) module to create a secure virtualization environment or sandbox. The system may also include a processor block to load data into a first region of the sandbox and to generate a workload package based on the data. The workload package is stored in a second region of the sandbox. The system may further include an operational block to fetch and execute instructions from the workload package. 1. A system for intra-block workload isolation , said system comprising:a virtual machine manager (VMM) module to create a secure virtualization environment (sandbox);a processor block to load data into a first region of said sandbox;said processor block further to generate a workload package, associated with said workload, said workload package based on said data and stored in a second region of said sandbox; andan operational block to fetch and execute instructions from said workload package.2. The system of claim 1 , wherein said VMM is further to set access controls of said second region of said sandbox to provide intra-block isolation of code claim 1 , data and state information associated with said workload.3. The system of claim 1 , wherein said VMM is further to set access controls of said second region of said sandbox to a non-executable mode.4. The system of claim 3 , wherein said VMM is further to set access controls of said second region of said sandbox to an executable mode for said operational block during a selected period of execution of said workload package.5. The system of claim 1 , wherein said operational block is further to write results to a third region of said sandbox claim 1 , said results based on execution of said workload package.6. The system of claim 1 , wherein said processor block is further to cryptographically authenticate said data.7. The system of ...

Подробнее
Номер записи: 102
01-10-2015 дата публикации

Entry/Exit Architecture for Protected Device Modules

Номер: US20150278514A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David M., Kang Xiaozhu, Narendra Trivedi Alpa T., Savagaonkar Uday R.
Принадлежит:

The entry/exit architecture may be a critical component of a protection framework using a secure enclaves-like trust framework for coprocessors. The entry/exit architecture describes steps that may be used to switch securely into a trusted execution environment (entry architecture) and out of the trusted execution environment (exit architecture), at the same time preventing any secure information from leaking to an untrusted environment. 1. A method comprising:constructing a protected portion, in a protected execution environment, of a workload running on a coprocessor;executing a command that takes a pointer to a device thread control structure belonging to the protected portion;entering the protected portion; andfetching commands from a buffer inside the protected portion.2. The method of including marking the structure as busy when the protected portion is entered.3. The method of including making a synchronous entry to the protected portion.4. The method of including making an asynchronous entry to the protected portion.5. The method of including making a synchronous entry on the first entry to the protected portion and using an asynchronous entry thereafter.6. The method of including using a flag to indicate whether to enter synchronously or asynchronously.7. The method of including exiting from the protected portion using a command executed inside the buffer.8. The method of including using unprivileged entry commands.9. The method of including using a memory write to a memory management input output device register in order to enter the protected portion.10. The method of including executing a command in a graphics processor to enter the protected portion.11. One or more non-transitory computer readable media storing instructions to perform a sequence comprising:constructing a protected portion, in a protected execution environment, of a workload running on a coprocessor;executing a command that points to a device thread control structure of the protected ...

Подробнее
Номер записи: 103
05-10-2017 дата публикации

AVOIDING REDUNDANT MEMORY ENCRYPTION IN A CRYPTOGRAPHIC PROTECTION SYSTEM

Номер: US20170286320A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David M.
Принадлежит: Intel Corporation

This disclosure is directed to avoiding redundant memory encryption in a cryptographic protection system. Data stored in a device may be protected using different encryption systems. Data associated with at least one trusted execution environment (TEE) may be encrypted using a first encryption system. Main memory in the device may comprise data important to maintaining the integrity of an operating system (OS), etc. and may be encrypted using a second encryption system. Data may also be placed into a memory location via direct memory access (DMA) and may be protected utilizing a third encryption system. Redundant encryption may be avoided by encryption circuitry capable of determining when data is already protected by encryption provided by another system. For example, the encryption circuitry may comprise encryption control circuitry that monitors indicators set at different points during data handling, and may bypass certain data encryption or decryption operations based on the indicator settings. 1. A device equipped for cryptographic memory protection , comprising:memory circuitry to store data, the memory circuitry including a first region in which encrypted data associated with at least one trusted execution environment is stored, a second region in which encrypted data associated with general memory is stored and at least one memory location in which encrypted data received via direct memory access is stored; andprocessing circuitry to process the data stored in the memory circuity, the processing circuitry including encryption circuitry to avoid redundant memory encryption by controlling at least one of a first encryption engine to perform data encryption and decryption for the first region or a second encryption engine to perform data encryption and decryption for the second region.2. The device of claim 1 , wherein the processing circuitry is based on Secure Guard Extensions (SGX) technology and the encryption circuitry includes a memory encryption engine ...

Подробнее
Номер записи: 104
22-10-2015 дата публикации

SYMMETRIC KEY DISTRIBUTION FRAMEWORK FOR THE INTERNET

Номер: US20150304286A1
Автор: Dewan Prashant, Kolar Sundar Divya Naidu, Long Men
Принадлежит:

A method, device, and system are disclosed. In one embodiment the method includes receiving measured health information from a client on a key distribution server. Once the measured health information is received the server is capable of validating the measured health information to see if it is authentic. The server is also capable of sending a session key to the client when the measured health information is validated. When the client receives the session key, the client is capable of initiating an encrypted and authenticated connection with an application server in the domain using the session key. 120-. (canceled)21. A key distribution server for generating a session key to secure communications with an application server , the key distribution server comprisingkey distribution server logic to:receive health information of a client device that requests access to an application server, wherein the received health information describes a client health level of the client device based on a client health policy required to access the application server;determine whether the client health level of the client device meets the client health policy required to access the application server;generate a master key for a communication session between the client device and the application server in response to a determination that the client health level of the client device satisfies the client health policy required to access the application server;generate a client-specific session key as a function of the master key and a client identifier of the client device;transmit the master key to the application server for generation of a corresponding session key as a function of the master key and the client identifier of the client device; andtransmit the client-specific session key to the client device for encryption and decryption of communications with the application server.22. The key distribution server of claim 21 , wherein the key distribution server logic is further to ...

Подробнее
Номер записи: 105
10-09-2020 дата публикации

MEMORY MAP PROTECTION MECHANISM

Номер: US20200285403A1
Автор: Dewan Prashant, Dureja Sahil, Haniffa Mohamed, Kotary Karunakara, Rajagopal Pannerkumar
Принадлежит: Intel Corporation

An apparatus to facilitate memory map security in a system on chip (SOC), comprising is disclosed. The apparatus includes a micro controller to receive a request to grant a host device access to a memory device and perform an alias checking process to verify accuracy of a memory map of the memory device. 1. An apparatus to facilitate memory map security in a system on chip (SOC) , comprising:a memory device;a plurality of interconnect protocol (IP) agents configured to access the memory device; anda micro controller to receive a request to grant a host device access to the memory device and perform an alias checking process on for each of the plurality of IP agents to verify accuracy of a memory map of the memory device.2. The apparatus of claim 1 , wherein the micro controller locks registers associated with the memory map.3. The apparatus of claim 2 , further comprising a Basic Input/output System (BIOS) firmware to program the memory map for a plurality of IP agents.4. The apparatus of claim 3 , wherein the micro controller further performs an attestation process to verify the integrity of the memory map.5. The apparatus of claim 4 , wherein the micro controller permits the host device to access the memory device upon a determination that the integrity has been verified.6. The apparatus of claim 5 , wherein the micro controller blocks access to the host device upon a determination that the integrity has not been verified.7. The apparatus of claim 6 , wherein the micro controller blocks access to the host device via a hardware locking mechanism.8. The apparatus of claim 4 , wherein the micro controller publishes the results of the attestation to the BIOS firmware.9. A method to facilitate memory map security in a system on chip (SOC) claim 4 , comprising:receiving a request at a micro controller from Basic Input/output System (BIOS) firmware to grant a host device access to a memory device and perform access grant requests initiated by boot firmware;the micro ...

Подробнее
Номер записи: 106
03-10-2019 дата публикации

Asymmetric Device Attestation Using Physically Unclonable Functions

Номер: US20190305973A1
Автор: Dewan Prashant
Принадлежит: Intel Corporation

In one example, a system for asymmetric device attestation includes a physically unclonable function (PUF) configured to generate a response to a challenge. A pseudo-random number generator generates a set of random numbers based on the response. A key generator determines co-prime numbers in the set of random numbers and generates a key pair using the co-prime numbers, wherein the public key is released to a manufacturer of the component for attestation of authenticity of the component. Through extending the PUF circuitry with a pseudo-random number generator, the present techniques are able to withstand unskilled and skilled hardware attacks, as the secret derived from the PUF is immune to extraction. 1. A system for asymmetric device attestation , comprising:a physically unclonable function (PUF) corresponding to a component, configured to generate a response to a challenge;a pseudo-random number generator to generate a set of random numbers based on the response;a key generator to determine co-prime numbers in the set of random numbers and generate a key pair using the co-prime numbers, wherein the public key is released to a manufacturer of the component for attestation of authenticity of the component.2. The system of claim 1 , wherein the public key and the challenge are transmitted to the manufacturer claim 1 , and in response to manufacturer attests to the authenticity of the component by issuing a certificate.3. The system of claim 1 , wherein the physically unclonable function (PUF) is one of an optical PUF or silicon PUF.4. The system of claim 1 , wherein the pseudo-random number generator terminates the generation of the set of random numbers in response to the key generator determining co-prime numbers in the set of random numbers.5. The system of claim 1 , wherein the key pair is a Divest claim 1 , Shamir claim 1 , and Adelman key pair.6. The system of claim 1 , wherein the key pair comprises a public key used for encryption claim 1 , and a private ...

Подробнее
Номер записи: 107
17-10-2019 дата публикации

Standardized Interface for Intellectual Property Blocks

Номер: US20190318097A1
Автор: Dewan Prashant, Dwarakanath Kumar, Godavarthi Vinupama, Goel Purushottam, Izbinsky Alex, Katragada Aditya, Kotary Karunakara
Принадлежит:

There is disclosed in one example, a system-on-a-chip (SoC), including: a processor core; a fabric; an intellectual property (IP) block communicatively coupled to the processor core via the fabric, the IP block having a microcontroller configured to provide a microcontroller architecture; a firmware load interface configured to provide a standardized hardware interface to the microcontroller architecture, wherein the standardized hardware interface provides an architecture-agnostic mechanism to securely load a firmware to the intellectual property block; and logic to provide a loader to load a firmware to the IP block via the firmware load interface. 1. A system-on-a-chip (SoC) , comprising:a processor core;a fabric;a first intellectual property (IP) block communicatively coupled to the processor core via the fabric, the first IP block having a first microcontroller configured to provide a first microcontroller architecture;a first firmware load interface configured to provide a standardized hardware interface to the first microcontroller architecture, wherein the standardized hardware interface provides an architecture-agnostic mechanism to securely load a first firmware to the first intellectual property block; andlogic to provide a loader to load a firmware to the first IP block via the first firmware load interface.2. The SoC of claim 1 , wherein the first firmware load interface is integrated into the first IP block.3. The SoC of claim 1 , wherein the first firmware load interface is external to the first IP block.4. The SoC of claim 1 , wherein the first firmware load interface is an IP block discrete from the first IP block.5. The SoC of claim 1 , further comprising:a second IP block having a second microcontroller, the second microcontroller having a second microcontroller architecture different from the first microcontroller architecture; anda second firmware load interface to provide the standardized hardware interface to securely load a second firmware to ...

Подробнее
Номер записи: 108
17-10-2019 дата публикации

Device ID for Memory Protection

Номер: US20190319789A1
Автор: Chhabra Siddhartha, Dewan Prashant
Принадлежит:

There is disclosed in one example a computing system, including: a processor; a memory; and a memory encryption engine (MEE) including circuitry and logic to: allocate a protected isolated memory region (IMR); encrypt the protected IMR; set an access control policy to allow access to the IMR by a device identified by a device identifier; and upon receiving a memory access request directed to the IMR, enforce the access control policy. 1. A computing system , comprising:a processor;a memory; and allocate a protected isolated memory region (IMR);', 'encrypt the protected IMR;', 'set an access control policy to allow access to the IMR by a device identified by a device identifier; and', 'upon receiving a memory access request directed to the IMR, enforce the access control policy., 'a memory encryption engine (MEE) comprising circuitry and logic to2. The computing system of claim 1 , wherein the MEE logic is further to deny access to any device not identified by the device identifier.3. The computing system of claim 1 , wherein the MEE logic is further to receive a plurality of device identifiers for a plurality of devices claim 1 , and permit access to the IMR only to the plurality of devices.4. The computing system of claim 1 , wherein the MEE is a multi-key total memory encryption (MKTME) engine.5. The computing system of claim 1 , wherein the MEE is a partial scope MEE.6. The computing system of claim 1 , wherein the processor comprises one or more access policy registers claim 1 , and circuitry and logic to set the access control policy of the MEE according to the access policy registers.7. The computing system of claim 1 , wherein the processor comprises logic to provide a SET_POLICY instruction claim 1 , the SET_POLICY instruction to provide a software-accessible means for setting the access control policy.8. The computing system of claim 1 , further comprising processor microcode to implement the SET_POLICY instruction.9. The computing system of claim 1 , ...

Подробнее
Номер записи: 109
24-10-2019 дата публикации

SECURE UPDATING OF COMPUTING SYSTEM FIRMWARE

Номер: US20190325139A1
Автор: Dewan Prashant, Kotary Karunakara
Принадлежит: Intel Corporation

A system comprising a controller to operate in an out of band fashion with respect to a central processing unit, the controller comprising a memory, and a processing element to request a firmware module from a computing system over a network, and cause the firmware module to be communicated to a storage controller for installation on a storage device. 1. A system comprising: a memory; and', request a firmware module from a computing system over a network; and', 'cause the firmware module to be communicated to a storage controller for installation on a storage device., 'a processing element to], 'a controller to operate in an out of band fashion with respect to a central processing unit, the controller comprising2. The system of claim 1 , wherein causing the firmware module to be communicated to the storage controller for installation on the storage device comprises buffering the firmware module in the memory and transmitting the firmware module from the memory to the storage controller.3. The system of claim 1 , wherein causing the firmware module to be communicated to the storage controller for installation on the storage device comprises:requesting that the firmware module be transferred via remote direct memory access (RDMA) into a system memory coupled to the central processing unit; andcommunicating a location of the firmware module in the system memory to the storage controller.4. The system of claim 1 , wherein the processing element of the controller is to:periodically poll the computing system over the network to inquire whether a firmware update is available;receive an indication from the computing system that a firmware update is available; andrequest the firmware module from the computing system responsive to the indication.5. The system of claim 1 , wherein the processing element of the controller is to request the firmware module from the computing system over the network responsive to a trigger.6. The system of claim 5 , wherein the trigger comprises ...

Подробнее
Номер записи: 110
24-10-2019 дата публикации

HARDWARE-ASSISTED PRIVACY PROTECTION USING A SECURE USER INTERFACE WITH MULTI-LEVEL ACCESS CONTROL OF SENSOR DATA

Номер: US20190325154A1
Автор: Dewan Prashant, Divakaran Sudeep, Narjala Ranjit Sivaram
Принадлежит:

Technologies provide hardware-assisted privacy protection of sensor data. One embodiment includes unlocking a user interface coupled to a trusted execution environment of a processor in a device, where the user interface includes a plurality of selectable settings associated with a plurality of access levels for sensor data captured by a sensor. The embodiment also includes receiving a selection signal from the user interface indicating that a user selected a first setting associated with a first access level for the sensor data captured by the sensor, and restricting access to the sensor data based on a first set of one or more entities associated with the first access level. In more specific embodiments, the user interface includes a knob that is rotatably attached to a housing of the device or a privacy panel including a slider bar that is to be displayed on a touch screen display of the device. 1. An apparatus , comprising:a memory including computer-executable instructions stored therein;a processor coupled to the memory, the processor including a trusted execution environment (TEE); unlock the user interface, wherein the user interface includes a plurality of selectable settings associated with a plurality of access levels for sensor data captured by a sensor;', 'receive a selection signal from the user interface indicating that a user selected a first setting associated with a first access level for the sensor data; and', 'restrict access to the sensor data based on a first set of one or more entities associated with the first access level., 'a user interface coupled to the TEE, wherein the TEE is to2. The apparatus of claim 1 , wherein the apparatus includes: 'a knob rotatably attached to the housing and communicably coupled to the TEE, wherein rotation of the knob from a second setting in one position to the first setting in another is to cause the selection signal to be sent to the TEE.', 'a housing, wherein the user interface includes3. The apparatus of ...

Подробнее
Номер записи: 111
07-11-2019 дата публикации

CONVERGED CRYPTOGRAPHIC ENGINE

Номер: US20190342093A1
Автор: Chhabra Siddhartha, Dewan Prashant
Принадлежит:

An apparatus of a computing system, a computer-readable medium, a method and a system. The apparatus comprises one or more processors that are to communicate with a computing engine of the computing system and to: receive an instruction including information on a cryptographic key; determine whether a no-decrypt mode is to be active or inactive with respect to a read request from the computing engine; when receiving the read request to read content from a memory, and in response to a determination that the no-decrypt mode is inactive, decrypt the content using the key to generate a decrypted content and send the decrypted content to the computing engine; and in response to receiving the read request, and in response to a determination that the no-decrypt mode is active, send the content to the computing engine without decrypting the content. 1. An apparatus of a computing system , the apparatus comprising one or more processors , and an input/output interface connected to the one or more processors to enable communication between the one or more processors and a computing engine of the computing system , the one or more processors to:receive an instruction including information on a cryptographic key;determine whether a no-decrypt mode is to be active or inactive with respect to a read request from the computing engine;in response to receiving the read request from the computing engine to read content from a memory of the computing system, and in response to a determination that the no-decrypt mode is inactive, decrypt the content using the key to generate a decrypted content and send the decrypted content to the computing engine; andin response to receiving the read request from the computing engine of the computing system to read the content from a memory of the computing system, and in response to a determination that the no-decrypt mode is active, send the content to the computing engine without decrypting the content.2. The apparatus of claim 1 , wherein the ...

Подробнее
Номер записи: 112
14-11-2019 дата публикации

ESTABLISHMENT OF NETWORK CONNECTIONS

Номер: US20190349366A1
Автор: Dewan Prashant, Sengupta Uttam K., Sreepathihalli Divyashree-Shivakumar
Принадлежит:

A method for establishing network connections is described, comprising connecting a device to a first network, retrieving voice input of a user, sending a message including data related to the voice input to at least one gateway device on the first network, receiving configuration data for a second network via the first network in response to the message, and establishing a connection of the device to the second network using the configuration data received via the first network. Furthermore, an electronic device, a network gateway device and a system are defined. 123-. (canceled)24. A method for establishing network connections , comprising:connecting a device to a first network;retrieving voice input of a user;sending a message including data related to the voice input to at least one gateway device on the first network;receiving configuration data for a second network via the first network in response to the message; andestablishing a connection of the device to the second network using the configuration data received via the first network.25. The method of claim 24 , further comprising receiving at least one challenge from the at least one gateway device via the first network and providing the message to the at least one gateway device in response to the at least one challenge.26. The method of claim 25 , further comprising presenting at least a part of the at least one challenge to the user.27. The method of claim 26 , further comprising extracting one or more voice features from the voice input and including at least some of the one or more voice features into the message.28. The method of claim 27 , wherein the configuration data for the second network is provided responsive to a voice-based authentication of the user based on the at least some voice features.29. The method of claim 24 , further comprising receiving a plurality of challenges from a plurality of gateway devices and providing the message as a response to one of the plurality of challenges to a ...

Подробнее
Номер записи: 113
28-12-2017 дата публикации

VIRTUALIZATION BASED INTRA-BLOCK WORKLOAD ISOLATION

Номер: US20170372063A1
Автор: Chhabra Siddhartha, Dewan Prashant, Durham David, Kang Xiaozhu, NARENDRA TRIVEDI Alpa, Savagaonkar Uday, Sengupta Uttam
Принадлежит: Intel Corporation

Generally, this disclosure provides systems, devices, methods and computer readable media for virtualization-based intra-block workload isolation. The system may include a virtual machine manager (VMM) module to create a secure virtualization environment or sandbox. The system may also include a processor block to load data into a first region of the sandbox and to generate a workload package based on the data. The workload package is stored in a second region of the sandbox. The system may further include an operational block to fetch and execute instructions from the workload package. 1. One or more non-transitory computer-readable storage devices having instructions stored thereon that , when executed by at least one processor of a first computing device , result in operations for workload isolation , the operations comprising:create a secure virtualization environment associated with a processor block of a system, the secure virtualization environment managed by a virtual machine manager (VMM);load data into a memory of the secure virtualization environment;generate a workload package, wherein the workload package is associated with a first workload and a second workload, the workload package based on the data and stored in the memory of the secure virtualization environment; andsubmit the workload package to an operational block of the system;cause the operational block to execute the first and second workloads from the secure virtualization environment;wherein the workloads being executed in the secure virtualization environment are isolated from other operations being executed by the processor.2. The one or more non-transitory computer-readable storage media of claim 1 , wherein the secure virtualization environment is a sandbox.3. The one or more non-transitory computer-readable storage media of claim 1 , wherein the secure virtualization environment is a secure container.4. The one or more non-transitory computer-readable storage media of claim 1 , wherein ...

Подробнее
Номер записи: 114
20-12-2018 дата публикации

Technologies for dynamically protecting memory of mobile compute device with geofencing

Номер: US20180365432A1
Автор: Prashant Dewan, Siddhartha Chhabra
Принадлежит: Intel Corp

Technologies for dynamically protecting memory of the mobile compute device include a main memory, a location sensor that produces sensor data indicative of a present location of the mobile compute device, a sensor hub communicatively coupled to the location sensor, and a security engine communicatively coupled to the sensor hub. The sensor hub determines a present location security zone of the mobile compute device based on the present location of the mobile compute device and a geofence policy, which maps locations to location security zones. The security engine encrypts the main memory of the mobile compute device and determines whether the present location security zone has changed relative to a most-previous location security zone of the mobile compute device. If the present location security zone has changed to a safe zone, the security engine decrypts the main memory.

Подробнее
Номер записи: 115
20-12-2018 дата публикации

SPEAKER RECOGNITION BASED ON DISCRIMINANT ANALYSIS

Номер: US20180366127A1
Автор: Dewan Prashant, Sengupta Uttam, Sreepathihalli Divyashree-Shivakumar
Принадлежит:

A method for speaker recognition, an electronic device and a speaker recognition system are disclosed. An example method includes receiving speech data corresponding to one or more utterances from a plurality of speakers that include a plurality of voice features. A plurality of variability factors is extracted from the speech data. The dimensionality of the plurality of variability factors is reduced using a non parametric analysis, thereby generating dimensionality reduced features. A score space is defined based at least on the dimensionality reduced features. 1. A method for speaker recognition , comprising:receiving speech data corresponding to one or more utterances from a plurality of speakers that include a plurality of voice features;extracting a plurality of variability factors from the speech data;reducing dimensionality of the plurality of variability factors using a non-parametric analysis, thereby generating dimensionality reduced features; anddefining a score space based at least on the dimensionality reduced features.2. The method of claim 1 , wherein the variability factors include speaker-dependent factors and session-dependent factors.3. The method of claim 1 , further comprising:receiving subsequent speech data from a target speaker;scoring multiple variability factors of the target speaker using the score space; andidentifying the target speaker based at least on a score of the multiple variability factors.4. The method of claim 1 , wherein the non-parametric analysis is a Nearest Neighbor Discriminant Analysis (NNDA).5. The method of claim 4 , further comprising using a nearest neighbor rule which maintains within-class and between-class variations of the plurality of variability factors to reduce dimensionality.6. The method of claim 1 , comprising defining the score space using a probabilistic discriminant analysis of the dimensionality reduced features.7. The method of claim 1 , comprising extracting the plurality of variability factors ...

Подробнее
Номер записи: 116