Patent application number | Description | Published |
20130031374 | FIRMWARE-BASED TRUSTED PLATFORM MODULE FOR ARM PROCESSOR ARCHITECTURES AND TRUSTZONE SECURITY EXTENSIONS - A “Firmware-Based TPM” or “fTPM” ensures that secure code execution is isolated to prevent a wide variety of potential security breaches. Unlike a conventional hardware based Trusted Platform Module (TPM), isolation is achieved without the use of dedicated security processor hardware or silicon. In general, the fTPM is first instantiated in a pre-OS boot environment by reading the fTPM from system firmware or firmware accessible memory or storage and placed into read-only protected memory of the device. Once instantiated, the fTPM enables execution isolation for ensuring secure code execution. More specifically, the fTPM is placed into protected read-only memory to enable the device to use hardware such as the ARM® architecture's TrustZone™ extensions and security primitives (or similar processor architectures), and thus the devices based on such architectures, to provide secure execution isolation within a “firmware-based TPM” without requiring hardware modifications to existing devices. | 01-31-2013 |
20130159729 | SOFTWARE-BASED TRUSTED PLATFORM MODULE - A “Firmware-Based TPM” or “fTPM” ensures that secure code execution is isolated to prevent a wide variety of potential security breaches. Unlike a conventional hardware based Trusted Platform Module (TPM), isolation is achieved without the use of dedicated security processor hardware or silicon. In general, the fTPM is first instantiated in a pre-OS boot environment by reading the fTPM from system firmware or firmware accessible memory or storage and placed into read-only protected memory of the device. Once instantiated, the fTPM enables execution isolation for ensuring secure code execution. More specifically, the fTPM is placed into protected read-only memory to enable the device to use hardware such as the ARM® architecture's TrustZone™ extensions and security primitives (or similar processor architectures), and thus the devices based on such architectures, to provide secure execution isolation within a “firmware-based TPM” without requiring hardware modifications to existing devices. | 06-20-2013 |
Patent application number | Description | Published |
20080320601 | PROVIDING ACCESS RIGHTS TO PORTIONS OF A SOFTWARE APPLICATION - Techniques for providing access rights to different portions of a software application to one or more authorized users are described herein. An issuance license may be inserted into the software application that divides the software application into one or more portions and identifies, for each portion, one or more users that are authorized access to the portion. Each portion of the software application may then be encrypted using, for example, a different cryptographic key. When the software is executed, an end user license may then be requested that corresponds to a particular user and that entitles the particular user access to each portion of the software application that the issuance license identifies the particular user as being authorized to access. The end user license may then be used to decrypt each portion of the software application that the issuance license identifies the particular end user as being authorized to access. | 12-25-2008 |
20110246785 | HARDWARE SUPPORTED VIRTUALIZED CRYPTOGRAPHIC SERVICE - A Trusted Platform Module (TPM) can be utilized to provide hardware-based protection of cryptographic information utilized within a virtual computing environment. A virtualized cryptographic service can interface with the virtual environment and enumerate a set of keys that encryption mechanisms within the virtual environment can utilize to protect their keys. The keys provided by the virtualized cryptographic service can be further protected by the TPM-specific keys of the TPM on the computing device hosting the virtual environment. Access to the protected data within the virtual environment can, thereby, only be granted if the virtualized cryptographic service's keys have been protected by the TPM-specific keys of the TPM on the computing device that is currently hosting the virtual environment. The virtualized cryptographic service's keys can be protected by TPM-specific keys of TPMs on selected computing devices to enable the virtual environment to be hosted by other computing devices. | 10-06-2011 |
20110307711 | DEVICE BOOTING WITH AN INITIAL PROTECTION COMPONENT - Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner. | 12-15-2011 |
20120110644 | GLOBALLY VALID MEASURED OPERATING SYSTEM LAUNCH WITH HIBERNATION SUPPORT - An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations. | 05-03-2012 |
20120226895 | PROTECTING OPERATING SYSTEM CONFIGURATION VALUES - In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken. | 09-06-2012 |
20140129817 | DEVICE BOOTING WITH AN INITIAL PROTECTION COMPONENT - Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner. | 05-08-2014 |
20140359774 | Protecting Anti-Malware Processes - Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificates which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process. | 12-04-2014 |
20140359775 | Protecting Anti-Malware Processes - Anti-malware process protection techniques are described. In one or more implementations, an anti-malware driver is signed using a hash that identifies a manufacturer of the anti-malware driver. The anti-malware driver is then provided to a computing device. The anti-malware driver may be assigned a protection level based on an agreement between the anti-malware manufacturer and an operating system manufacturer, and this protection level effects the operation of the anti-malware program on the computing device. | 12-04-2014 |
20150161155 | ACCESSING DATA IN A COMPRESSED CONTAINER THROUGH DYNAMIC REDIRECTION - Embodiments of the disclosure provide access to data in a compressed container through dynamic redirection, without storing decompressed data in persistent memory. The compressed container is stored in a first portion of memory. User data and reference files, with redirect pointers, for accessing corresponding files in the compressed container are stored in a second portion of memory. A command to access data is detected by a computing device. The redirect pointer in the reference file associated with the command redirects access to the corresponding compressed version of data stored in the compressed container. The corresponding accessed compressed version of data is decompressed on the fly and provided in response to the command without storing the decompressed data in persistent memory. Some embodiments provide integrity protection to validate the data coming from the compressed container. | 06-11-2015 |
Patent application number | Description | Published |
20130117258 | Previewing Search Results - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for previewing search results. In one aspect, a method includes receiving a query from a client device. One or more image search results are provided to the client device, each of the one or more image search results identifying a corresponding image resource and each of the one or more image search results including an image representation of the corresponding image resource. One or more related queries are provided to the client device, the one or more related queries having been determined to be related to the query, wherein each of the one or more related queries includes a preview image to be displayed at the client device, the preview image representing an image search result responsive to the related query. | 05-09-2013 |
20140149398 | Previewing Search Results - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for previewing search results. In one aspect, a method includes receiving a query from a client device. One or more image search results are provided to the client device, each of the one or more image search results identifying a corresponding image resource and each of the one or more image search results including an image representation of the corresponding image resource. One or more related queries are provided to the client device, the one or more related queries having been determined to be related to the query, wherein each of the one or more related queries includes a preview image to be displayed at the client device, the preview image representing an image search result responsive to the related query. | 05-29-2014 |