Projection of trustworthiness from a trusted environment to an untrusted environment
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-007/04
G06F-007/02
H04L-009/00
G06F-011/30
출원번호
UP-0638199
(2003-08-07)
등록번호
US-7530103
(2009-07-01)
발명자
/ 주소
Willman, Bryan Mark
England, Paul
Ray, Kenneth D.
Kaplan, Keith
Kurien, Varugis
Marr, Michael David
출원인 / 주소
Microsoft Corporation
대리인 / 주소
Woodcock Washburn LLP
인용정보
피인용 횟수 :
12인용 특허 :
22
초록▼
In a single machine that has entities running in an untrusted environment and entities running in a trusted environment, the trustworthiness of the entities in the trusted environment is projected to the entities in the untrusted environment. This is applicable, for example, to Microsoft®'s Next Gen
In a single machine that has entities running in an untrusted environment and entities running in a trusted environment, the trustworthiness of the entities in the trusted environment is projected to the entities in the untrusted environment. This is applicable, for example, to Microsoft®'s Next Generation Secure Computing Base (NGSCB), where a regular operating system (e.g., the Windows® operating system) hosts a secure operating system (e.g., the nexus).
대표청구항▼
What is claimed is: 1. A system, comprising: a processor; a memory; an untrusted environment resident in the memory; a trusted environment connected to the untrusted environment and resident in a portion of the memory that is inaccessible to the untrusted environment; a plurality of monitoring agen
What is claimed is: 1. A system, comprising: a processor; a memory; an untrusted environment resident in the memory; a trusted environment connected to the untrusted environment and resident in a portion of the memory that is inaccessible to the untrusted environment; a plurality of monitoring agents running in the trusted environment, each monitoring agent monitoring at least one application, extension, or component running in the untrusted environment; and, at least one base monitoring agent running in the trusted environment that monitors the untrusted environment, whereby trustworthiness of the trusted environment is projected into the untrusted environment, wherein each monitoring agent is associated with an application in the untrusted environment and each monitoring agent monitors its associated application for attack and inconsistencies. 2. The system of claim 1, wherein each monitoring agent comprises a portion of its associated application. 3. The system of claim 1, wherein each monitoring agent has an adjustable level of inspection for targeting threats to its associated application. 4. The system of claim 1, wherein each monitoring agent receives a secure input and transfer the secure input to the associated application. 5. The system of claim 1, wherein at least one of the monitoring agents monitors application agents running in the trusted environment. 6. The system of claim 1, further comprising another monitoring agent running in the trusted environment, wherein the monitoring agents are in communication with each other. 7. The system of claim 1, wherein the base monitoring agent detects inconsistencies in the untrusted environment. 8. The system of claim 7, further comprising a plurality of monitoring agents that detect inconsistencies in applications running in the untrusted environment. 9. The system of claim 8, further comprising additional monitoring agents that detect inconsistencies in applications running in the trusted environment. 10. The system of claim 1, wherein at least one of the base monitoring agents approves or disapproves an untrusted environment event. 11. The system of claim 10, the at least one base monitoring agent further comprising a secure input for receiving input, wherein the base monitoring agent approves or disapproves the untrusted environment event based on the received input. 12. The system of claim 1, wherein at least one of the base monitoring agents refuses to allow changes to the untrusted environment without receiving approval via a secure input. 13. The system of claim 1, wherein at least one of the base monitoring agents refuses to allow changes to the untrusted environment unless the changes are described by a package that is signed by an approved party. 14. The system of claim 1, further comprising a monitoring agent running in the trusted environment, the monitoring agent monitoring at least one application, extension, or component running in the untrusted environment, wherein the monitoring agent uses sealed storage to keep a secret for an operating system or an application residing in the untrusted environment. 15. The system of claim 14, wherein the monitoring agent refuses to reveal the secret to the operating system or the application unless the operating system or application has a digest that matches the owner of the secret. 16. The system of claim 14, wherein the monitoring agent refuses to reveal the secret to the operating system or the application unless the operating system or application is on a list of digests that may read the secret. 17. The system of claim 14, wherein the monitoring agent uses a predetermined test to determine if a legitimate entity is requesting the secret. 18. The system of claim 17, wherein the predetermined test includes examining the entity's stacks and assuring that the stacks have legal stack contents. 19. The system of claim 1, further comprising a monitoring agent running in the trusted environment, the monitoring agent monitoring at least one application, extension, or component running in the untrusted environment, wherein the monitoring agent edits a state of the untrusted environment to make it secure or otherwise acceptable. 20. The system of claim 19, wherein the state comprises an initial configuration or an error report option. 21. The system of claim 1, wherein the base monitoring agent zeros the physical memory that does not belong to the known good configuration of the untrusted environment or to the trusted environment. 22. The system of claim 1, wherein the untrusted environment comprises a basic input/output system (BIOS), firmware, or loader. 23. The system of claim 1, further comprising a nexus for running the base monitoring agent at boot. 24. The system of claim 1, further comprising a counter in the trusted environment, wherein the counter is used to determine if the base monitoring agent should be run. 25. The system of claim 24, wherein the counter counts the number of untrusted memory edit operations. 26. A method of monitoring an untrusted environment, comprising: providing the untrusted environment and an operating system running in the untrusted environment; connecting a trusted environment to the untrusted environment; providing a plurality of monitoring agents running in the trusted environment; associating at least one of the plurality of monitoring agents with at least one application, extension, or component running in the untrusted environment; monitoring the at least one application, extension, or component using the at least one of the plurality of monitoring agents; providing at least one base monitoring agent running in the trusted environment; associating the at least one base monitoring agent with the operating system; providing a nexus for running the base monitoring agent at boot; binding the monitoring agents to the base monitoring agent and to the nexus; and, using the base monitoring agent to monitor the untrusted environment and the operating system for attack and inconsistencies to project trustworthiness of the trusted environment into the untrusted environment. 27. The method of claim 26, further comprising: associating each monitoring agent with an application; and monitoring each associated application for attack and inconsistencies. 28. The method of claim 26, further comprising associating an application with one of the monitoring agents, and transferring a portion of the application to the monitoring agent so the portion resides in the trusted environment. 29. The method of claim 26, further comprising associating an application with the monitoring agent and adjusting a level of inspection in the monitoring agent for targeting threats to the associated application. 30. The method of claim 26, further comprising: associating an application with the monitoring agent; receiving secure input at the monitoring agent; and, transferring the secure input to the application. 31. The method of claim 26, wherein the monitoring agents are in communication with each other. 32. The method of claim 26, further comprising using the base monitoring agent to approve or disapprove an untrusted environment event. 33. The method of claim 32, further comprising using the base monitoring agent to receive input from a secure input. 34. The method of claim 26, further comprising the base monitoring agent refusing to allow changes to the untrusted environment without receiving approval via a secure input. 35. The method of claim 26, further comprising the base monitoring agent refusing to allow changes to the untrusted environment unless the changes are described by a package that is signed by an approved party. 36. The method of claim 26, wherein one of the monitoring agents uses sealed storage to keep a secret for an operating system or an application residing in the untrusted environment. 37. The method of claim 36, wherein the monitoring agent refuses to reveal the secret to the operating system or the application unless the operating system or application has a digest that matches the owner of the secret. 38. The method of claim 36, wherein the monitoring agent refuses to reveal the secret to the operating system or the application unless the operating system or application is on a list of digests that may read the secret. 39. The method of claim 36, further comprising using a predetermined test to determine if a legitimate entity is requesting the secret. 40. The method of claim 39, wherein the predetermined test includes examining the entity's stacks and assuring that the stacks have legal stack contents. 41. The method of claim 26, wherein one of the monitoring agents is configured to edit a state of the untrusted environment to make it secure or otherwise acceptable. 42. The method of claim 41, wherein the state comprises an initial configuration or an error report option. 43. The method of claim 26, further comprising the base monitoring agent zeroing the physical memory that does not belong to the known good configuration of the untrusted environment or to the trusted environment. 44. The method of claim 26, wherein the untrusted environment comprises a basic input/output system (BIOS), firmware, or loader. 45. The method of claim 26, further comprising determining if the base monitoring agent should be run responsive to a counter. 46. The method of claim 45, wherein the counter counts the number of untrusted memory edit operations. 47. The method of claim 26, further comprising providing a plurality of monitoring agents that detect inconsistencies in applications running in the untrusted environment. 48. The method of claim 47, further comprising providing additional monitoring agents that detect inconsistencies in applications running in the trusted environment. 49. A system, comprising: a processor; a memory; a trusted environment resident in the memory and having at least one of an operating system, firmware, and a basic input/output system (BIOS); an untrusted environment resident in the memory; at least one monitoring agent running in the trusted environment and associated with at least one of the operating system, the firmware, and the BIOS, and associated with an application running in the untrusted environment; a nexus; and at least one base monitoring agent running in the trusted environment that monitors the untrusted environment, whereby trustworthiness of the trusted environment is projected into the untrusted environment, the base monitoring agent being bound, linked, or compiled into the nexus. 50. The system of claim 49, wherein the at least one monitoring agent comprises a plurality of monitoring agents, each monitoring agent having an associated power. 51. The system of claim 49, wherein the trusted environment runs on a first processor architecture and the untrusted environment runs on a second processor architecture, the system further comprising a base monitoring agent running on the first processor. 52. The system of claim 49, wherein the trusted environment and the untrusted environment run on the same processor, the system further comprising a base monitoring agent running in the trusted environment. 53. The system of claim 49, wherein the trusted environment runs on a first processor and the untrusted environment runs on a second processor, the first and second processors being capable of running in either a trusted mode or an untrusted mode. 54. The system of claim 49, further comprising a nexus and a base monitoring agent residing in the trusted environment, wherein the base monitoring agent is a user mode processor running on the nexus. 55. The system of claim 49, further comprising a base monitoring agent residing in the trusted environment, wherein the base monitoring agent is developed by, with, and in the same or a related build environment as an operating system of the untrusted environment. 56. The system of claim 49, further comprising a base monitoring agent residing in the trusted environment, the base monitoring agent being part of a trusted-computing-base for security evaluation. 57. The system of claim 49, further comprising a base monitoring agent, wherein a first portion of the base monitoring agent resides in the trusted environment and a second portion of the base monitoring agent resides on a physically remote machine, the first and second portions of the base monitoring agent being connected by a secure link. 58. A system, comprising: a processor; a memory; an untrusted environment resident in the memory; an operating system running in the untrusted environment; an application running in the untrusted environment; a trusted environment resident in a portion of the memory that is inaccessible to the untrusted environment; a monitoring agent running in the trusted environment and providing projection of trustworthiness of the trusted environment to the application running in the untrusted environment; and, a base monitoring agent associated with the operating system and running in the trusted environment, the base monitoring agent configured to monitor the monitoring agent and the untrusted environment, wherein the agent is a virtual machine agent, and the monitoring agent is a virtual machine monitoring agent. 59. The system of claim 58, wherein the base monitoring agent is a virtual machine base monitoring agent and projects an operating system image in the virtual machine agent. 60. The system of claim 58, further comprising an application associated with the virtual machine monitoring agent, wherein the base monitoring agent is a virtual machine base monitoring agent and provides projection to the application.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (22)
Wobber Edward (Menlo Park CA) Abadi Martin (Palo Alto CA) Birrell Andrew (Los Altos CA) Lampson Butler (Cambridge MA), Access control subsystem and method for distributed computer system using locally cached authentication credentials.
Gomi, Hidehito; Fujita, Satoru, Distributed system, access control process and apparatus and program product having access controlling program thereon.
Blewett,Charles Douglas; Denker,John Stewart; Hall,Robert J., Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network.
Chan, Shannon; Jensenworth, Gregory; Goertzel, Mario C.; Shah, Bharat; Swift, Michael M.; Ward, Richard B., Method and system for secure running of untrusted content.
Geiger, Robert L.; Lin, Jyh-Han; Van Peursem, James E.; Palaniswamy, Avinash C.; Subramanian, Ambiga; Battenhouse, Anna, Method for validating an application for use in a mobile communication device.
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Scott W. Devine ; Edouard Bugnion ; Mendel Rosenblum, Virtualization system including a virtual machine monitor for a computer with a segmented architecture.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.