| Patent application number | Description | Published |
|---|
| 20080201540 | PRESERVATION OF INTEGRITY OF DATA ACROSS A STORAGE HIERARCHY - A method and apparatus for preservation of integrity of data across a storage hierarchy. An embodiment of a method includes verifying integrity of a memory page that is stored in primary computer memory. The memory page is swapped out of the primary computer memory to a secondary memory, wherein swapping the memory page out includes performing an integrity check of the memory page. The memory page is swapped in the primary computer memory from the secondary memory, wherein swapping in the memory page includes verifying the integrity of the memory page based at least in part on the integrity check performed for swapping out the memory page. | 08-21-2008 |
| 20080240446 | INTRUDER TRACEABILITY FOR SHARED SECURITY ASSOCIATIONS - Various embodiments are directed to systems and techniques for shared security associations. In one or more embodiments, a key distribution server provides shared security associations for clients and servers by assigning a group key to a particular client according to a time-based group key assignment schedule. The key distribution server may comprise a recursive codebook including multiple entries corresponding to group key assignments to be selected by the key distribution server with respect to time intervals. Other embodiments are described and claimed. | 10-02-2008 |
| 20080244114 | Runtime integrity chain verification - A runtime integrity check may be implemented for a chain or execution path. When the chain or execution path calls other functions, the correctness of an entity called from the execution path is verified. As a result, attacks by malicious software that attempt to circumvent interrupt handlers can be combated. | 10-02-2008 |
| 20080244268 | End-to-end network security with traffic visibility - Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. The key may be derived using a cryptographic one way function and a client identifier so that end-to-end security may be achieved. | 10-02-2008 |
| 20080280593 | Protecting Caller Function from Undesired Access by Callee Function - Disclosed is a method for restricting access of a first code of a plurality of codes and data of a first function from a second function. Thee method comprises calling the second function by the first function, addresses of the plurality of data may be stored in a stack page and colored in a first color ( | 11-13-2008 |
| 20080282358 | Protecting Caller Function from Undesired Access by Callee Function - Disclosed is a method for restricting access of a first code of a plurality of codes of a first function from a second function. Thee method comprises calling the second function by the first function, addresses of the plurality of codes are stored in a stack page and colored in a first color ( | 11-13-2008 |
| 20090038017 | SECURE VAULT SERVICE FOR SOFTWARE COMPONENTS WITHIN AN EXECUTION ENVIRONMENT - Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed. | 02-05-2009 |
| 20090119510 | END-TO-END NETWORK SECURITY WITH TRAFFIC VISIBILITY - End-to-end security between clients and a server, and traffic visibility to intermediate network devices, achieved through combined mode, single pass encryption and authentication using two keys is disclosed. In various embodiments, a combined encryption-authentication unit includes a cipher unit and an authentication unit coupled in parallel to the cipher unit, and generates an authentication tag using an authentication key in parallel with the generation of the cipher text using an encryption key, where the authentication and encryption key have different key values. In various embodiments, the cipher unit operates in AES counter mode, and the authentication unit operates in parallel, in AES-GMAC mode Using a two key, single pass combined mode algorithm preserves network performance using a limited number of HW gates, while allowing an intermediate device access to the encryption key for deciphering the data, without providing that device the ability to compromise data integrity, which is preserved between the end to end devices. | 05-07-2009 |
| 20090249481 | BOTNET SPAM DETECTION AND FILTRATION ON THE SOURCE MACHINE - A method and device are disclosed. In one embodiment the method includes determining that a packet attempting to be sent from a first computer system has at least a portion of a human communication message that may contain spam. The method then increments a spam counter when the difference in time between a first time value in a time stamp within the packet and a second time value of a most recent activity from a human input device coupled to the first computer system is greater than a threshold difference in time value. The method also disallows the packet to be sent to a remote location if the spam counter exceeds a spam outbound threshold value. | 10-01-2009 |
| 20090327575 | COPY EQUIVALENT PROTECTION USING SECURE PAGE FLIPPING FOR SOFTWARE COMPONENTS WITHIN AN EXECUTION ENVIRONMENT - Embodiments of copy equivalent protection using secure page flipping for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor (VMM), Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. In an embodiment, an embedded VM is allowed to directly manipulate page table mappings so that, even without running the VMM or obtaining VMXRoot privilege, the embedded VM can directly flip pages of memory into its direct/exclusive control and back. Other embodiments may be described and claimed. | 12-31-2009 |
| 20090327648 | GENERATING MULTIPLE ADDRESS SPACE IDENTIFIERS PER VIRTUAL MACHINE TO SWITCH BETWEEN PROTECTED MICRO-CONTEXTS - Embodiments of an invention for generating multiple address space identifiers per virtual machine to switch between protected micro-contexts are disclosed. In one embodiment, an apparatus includes privileged mode logic, an interface, and memory management logic. The privileged mode logic is to transfer control of the processor among a plurality of virtual machines. The interface is to perform a transaction to fetch information from a memory. The memory management logic is to translate an untranslated address to a memory address. The memory management logic includes a storage location, a series of translation stages, determination logic, and a translation lookaside buffer. The storage location is to store an address of a data structure for the first translation stage. Each of the translation stages includes translation logic to find an entry in a data structure based on a portion of the untranslated address. Each entry is to store an address of a different data structure for the first translation stage, an address of a data structure for a successive translation stage, or the physical address. The determination logic is to determine whether an entry is storing an address of a different data structure for the first translation stage. The translation lookaside buffer is to store translations. Each translation lookaside buffer entry includes an address source identifiers. Each address source identifier is to identify a unique micro-context. Each address source identifier is based on a virtual partition identifier. At least two of the of virtual partition identifiers are associated with one of the virtual machines | 12-31-2009 |
| 20090328042 | DETECTION AND REPORTING OF VIRTUALIZATION MALWARE IN COMPUTER PROCESSOR ENVIRONMENTS - Methods and systems to detect virtualization of computer system resources, such as by malware, include methods and systems to evaluate information corresponding to a computer processor operating environment, outside of or secure from the operating environment, which may include one or more of a system management mode of operation and a management controller system. Information may include processor register values. Information may be obtained from within the operating environment, such as with a host application running within the operating environment. Information may be obtained outside of the operating environment, such as from a system state map. Information obtained from within the operating environment may be compared to corresponding information obtained outside of the operating environment. Direct memory address (DMA) translation information may be used to determine whether an operating environment is remapping DMA accesses. Page tables, interrupt tables, and segmentation tables may be used to reconstruct a view of linear memory corresponding to the operating environment, which may be scanned for malware or authorized code and data. | 12-31-2009 |
| 20090328164 | Method and system for a platform-based trust verifying service for multi-party verification - A method and system for a platform-based trust verifying service for multi-party verification. In one embodiment, the method includes a client platform accessing an service provider over a network. Upon accessing the service provider, the client platform receives a request from the service provider for platform measurement and verification. The client platform collects platform information and performs measurement and verification, including performing an integrity manifest comparison. If the integrity manifest comparison indicates a good client platform posture, then the client platform signs the client platform posture and sends an approval notification to the service provider indicating that the client platform has not been compromised. The client platform may then receive the service of the service provider. If the integrity manifest comparison indicates that the client platform posture is not good, then the client platform will send a failure notification to the service provider indicating that the client platform has been compromised. | 12-31-2009 |
| 20100071032 | Techniques for Authenticated Posture Reporting and Associated Enforcement of Network Access - Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional. | 03-18-2010 |
| 20100107224 | Techniques for authenticated posture reporting and associated enforcement of network access - Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional. | 04-29-2010 |
| 20100122077 | SWITCHING BETWEEN MULTIPLE OPERATING SYSTEMS (OSes) USING SLEEP STATE MANAGEMENT AND SEQUESTERED RE-BASEABLE MEMORY - Embodiments of switching between multiple operating systems (OSes) using sleep state management and sequestered re-baseable memory are generally described herein. Embodiments of the invention allow one OS to be suspended into S3 or sleep mode, saving its state to memory and turning off its devices. Then, another sleeping OS can be resumed from another location in memory by switching a memory base addressed to a sequestered memory region and restoring its device state. Other embodiments may be described and claimed. | 05-13-2010 |
| 20100162356 | Hierarchical Trust Based Posture Reporting and Policy Enforcement - A method that includes initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network. The method also includes establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform. Another secure communication channel is established over another communication link. The other communication link is between at least the policy enforcement point and a manageability engine resident on the platform. The manageability engine forwards posture information associated with the access requester via the other secure communication channel. The posture information is then forwarded to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point. The policy decision point indicates what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies. | 06-24-2010 |
| 20100169507 | Apparatus and method for managing subscription requests for a network interface component - In some embodiments, a processor-based system may include at least one processor, at least one memory coupled to the at least one processor, a network interface component, and a management controller. The management controller may be configured to receive information related to a subscription request for a virtual machine, generate configuration information for the network interface component based on the subscription request, and provide the configuration information to the network interface component. Other embodiments are disclosed and claimed. | 07-01-2010 |
| 20100169666 | METHODS AND SYSTEMS TO DIRECLTY RENDER AN IMAGE AND CORRELATE CORRESPONDING USER INPUT IN A SECUIRE MEMORY DOMAIN - Methods and systems to assign an application and a video frame buffer to a protected memory domain to render an image of a keyboard from the protected memory domain to a random position of the video frame buffer and correlate user input from a pointing device to the rendered keyboard image. The keyboard image may be randomly repositioned following a user input. The keyboard image may be rendered over a secure user image. An acknowledgment image may be rendered from the protected memory domain to a random position of the video frame buffer, and may be randomly repositioned in response to a user input that does not correlate to the acknowledgment image. User inputs that do not correlate to a randomly positioned image may be counted, and one or more processes may be aborted when the number of non-correlated user inputs exceeds a threshold. | 07-01-2010 |
| 20100262739 | IDENTIFIER ASSOCIATED WITH MEMORY LOCATIONS FOR MANAGING MEMORY ACCESSES - Embodiments of apparatuses, articles, methods, and systems for associating identifiers with memory locations for controlling memory accesses are generally described herein. Other embodiments may be described and claimed. | 10-14-2010 |
| 20110154059 | CUMULATIVE INTEGRITY CHECK VALUE (ICV) PROCESSOR BASED MEMORY CONTENT PROTECTION - In general, in one aspect, the disclosure describes a process that includes a cryptographic engine and first and second registers. The cryptographic engine is to encrypt data to be written to memory, to decrypt data read from memory, to generate read integrity check values (ICVs) and write ICVs for memory accesses. The cryptographic engine is also to create a cumulative read ICV and a cumulative write ICV by XORing the generated read ICV and the generated write ICV with a current read MAC and a current write ICV respectively and to validate data integrity by comparing the cumulative read ICV and the cumulative write ICV. The first and second registers are to store the cumulative read and write ICVs respectively at the processor. Other embodiments are described and claimed. | 06-23-2011 |
| 20110161677 | SEAMLESSLY ENCRYPTING MEMORY REGIONS TO PROTECT AGAINST HARDWARE-BASED ATTACKS - Systems, apparatuses, and methods, and for seamlessly protecting memory regions to protect against hardware-based attacks are disclosed. In one embodiment, an apparatus includes a decoder, control logic, and cryptographic logic. The decoder is to decode a transaction between a processor and memory-mapped input/output space. The control logic is to redirect the transaction from the memory-mapped input/output space to a system memory. The cryptographic logic is to operate on data for the transaction. | 06-30-2011 |
