Patent application number | Description | Published |
20080222309 | Method and apparatus for network filtering and firewall protection on a secure partition - A management virtual machine on a virtualization technology enabled platform includes a means for providing a firewall and deep packet inspection. An isolated secure partition is provided to host the management application and network packet filtering and firewall functions to provide a secure and trusted platform for manageability applications. A protected component in the operating system in a user partition moves network traffic to the secure partition for inspection and filtering. | 09-11-2008 |
20080244574 | Dynamically relocating devices between virtual machines - A virtual machine monitor may reassign hardware bus devices from one virtual machine to another. The virtual machine monitor may turn a device off, reassign it to a different virtual machine, and then turn the device back on. Device interrupts are remapped from the source virtual machine to the target virtual machine. | 10-02-2008 |
20090172660 | NEGOTIATED ASSIGNMENT OF RESOURCES TO A VIRTUAL MACHINE IN A MULTI-VIRTUAL MACHINE ENVIRONMENT - A system and method are disclosed. In one embodiment the system includes a physical resource that is capable of generating I/O data. The system also includes multiple virtual machines to utilize the physical resource. Among the virtual machines are a resource source virtual machine that is capable of owning the physical resource. The resource source virtual machine is also capable of sending a stream of one or more I/O packets generated from the I/O data that targets a resource sink virtual machine. The resource sink virtual machine is designated as a termination endpoint of the I/O data from the physical device. Also among the virtual machines are one or more resource filter virtual machines. Each of the resource filter virtual machines is capable of filtering I/O packets of a particular type from the stream prior to the stream reaching the resource sink virtual machine. | 07-02-2009 |
20090222792 | AUTOMATIC MODIFICATION OF EXECUTABLE CODE - A method for automatically modifying an executable file for a software agent is provided. The method comprises detecting original static entry and exit points in the executable file and generating corresponding transformed points; modifying the executable file by linking the executable file to the integrity services environment and embedding a signed agent manifest; loading the modified executable file into memory and registering a target list with the software agent's hypervisor, wherein the target list provides mappings between protected and active page tables; detecting dynamic entry and exit points in the executable file and generating corresponding transformed points; switching to a protected context, in response to a transformed exit point being invoked, and switching to an active context, in response a transformed entry point being invoked; and de-registering the software agent with the memory protection module, in response to the software agent being unloaded. | 09-03-2009 |
20090241189 | EFFICIENT HANDLING OF INTERRUPTS IN A COMPUTING ENVIRONMENT - A method for efficiently handling interrupts in a virtual technology environment with integrity services is provided. The method comprises assigning an interrupt to a virtual machine that is running a software agent; suspending the software agent; invoking a protected interrupt handler; copying the interrupt's memory content to a protected location, in response to successfully verifying the integrity of the content; replacing the interrupt's return address with a return address for a protected function; switching from the software agent's protected context to its active context; executing the original interrupt handler; returning control to the protected function to ensure that execution of the software agent resumes safely; switching back to the software agent's protected context, in response to successfully verifying the integrity of the content; and passing control back to the software agent to resume execution. | 09-24-2009 |
20090245521 | METHOD AND APPARATUS FOR PROVIDING A SECURE DISPLAY WINDOW INSIDE THE PRIMARY DISPLAY - In some embodiments, the invention involves securing sensitive data from mal-ware on a computing platform and, more specifically, to utilizing virtualization technology and protected audio video path technologies to prohibit a user environment from directly accessing unencrypted sensitive data. In an embodiment a service operating system (SOS) accesses sensitive data requested by an application running in a user environment virtual machine, or a capability operating system (COS). The SOS application encrypts the sensitive data before passing the data to the COS. The COS makes requests directly to a graphics engine which decrypts the data before displaying the sensitive data on a display monitor. Other embodiments are described and claimed. | 10-01-2009 |
20090323941 | SOFTWARE COPY PROTECTION VIA PROTECTED EXECUTION OF APPLICATIONS - Methods and apparatus to provide a tamper-resistant environment for software are described. In some embodiments, procedures for verifying whether a software container is utilizing protected memory and is associated with a specific platform are described. Other embodiments are also described. | 12-31-2009 |
20100169968 | PROCESSOR EXTENSIONS FOR EXECUTION OF SECURE EMBEDDED CONTAINERS - Methods and apparatus relating to processor extensions for execution of secure embedded containers are described. In an embodiment, a scalable solution for manageability function is provided, e.g., for UMPC environments or otherwise where utilizing a dedicated processor or microcontroller for manageability is inappropriate or impractical. For example, in an embodiment, an OS (Operating System) or VMM (Virtual Machine Manager) Independent (generally referred to herein as “OI”) architecture involves creating one or more containers on a processor by dynamically partitioning resources (such as processor cycles, memory, devices) between the HOST OS/VMM and the OI container. Other embodiments are also described and claimed. | 07-01-2010 |
20100333206 | Protecting a software component using a transition point wrapper - Embodiments of apparatuses, articles, methods, and systems for protecting software components using transition point wrappers are generally described herein. In one embodiment, an apparatus includes a first component, a wrapper component, and a management module. The wrapper component is to transform a transition point between the first component and a second component. The management module is to control access to the first component through the transformed transition point. Other embodiments may be described and claimed. | 12-30-2010 |
20110145598 | Providing Integrity Verification And Attestation In A Hidden Execution Environment - In one embodiment, a processor includes a microcode storage including processor instructions to create and execute a hidden resource manager (HRM) to execute in a hidden environment that is not visible to system software. The processor may further include an extend register to store security information including a measurement of at least one kernel code module of the hidden environment and a status of a verification of the at least one kernel code module. Other embodiments are described and claimed. | 06-16-2011 |
20120030730 | PROVIDING A MULTI-PHASE LOCKSTEP INTEGRITY REPORTING MECHANISM - In one embodiment, a processor can enforce a blacklist and validate, according to a multi-phase lockstep integrity protocol, a device coupled to the processor. Such enforcement may prevent the device from accessing one or more resources of a system prior to the validation. The blacklist may include a list of devices that have not been validated according to the multi-phase lockstep integrity protocol. Other embodiments are described and claimed. | 02-02-2012 |
20120047580 | METHOD AND APPARATUS FOR ENFORCING A MANDATORY SECURITY POLICY ON AN OPERATING SYSTEM (OS) INDEPENDENT ANTI-VIRUS (AV) SCANNER - An antivirus (AV) application specifies a fault handler code image, a fault handler manifest, a memory location of the AV application, and an AV application manifest. A loader verifies the fault handler code image and the fault handler manifest, creates a first security domain having a first security level, copies the fault handler code image to memory associated with the first security domain, and initiates execution of the fault handler. The loader requests the locking of memory pages in the guest OS that are reserved for the AV application. The fault handler locks the executable code image of the AV application loaded into guest OS memory by setting traps on selected code segments in guest OS memory. | 02-23-2012 |
20130179693 | Providing Integrity Verification And Attestation In A Hidden Execution Environment - In one embodiment, a processor includes a microcode storage including processor instructions to create and execute a hidden resource manager (HRM) to execute in a hidden environment that is not visible to system software. The processor may further include an extend register to store security information including a measurement of at least one kernel code module of the hidden environment and a status of a verification of the at least one kernel code module. Other embodiments are described and claimed. | 07-11-2013 |