Patent Application
20050275661
Modern computing systems often provide users with the ability to simultaneously support multiple execution environments typically using some form of virtualization scheme to delineate the execution environments within the system. Each environment can support its own operating system and software processes and, depending on the virtualization scheme, a particular environment and its software processes can be isolated to varying degrees from other environments. In the context of multiple environments users often need to “trust” to a high degree of certainty the ability of one or more particular environments to protect data within those environments from being accessed or altered by other environments.
Creating a trusted environment completely protected from other environments is problematic and users are often presented with the challenge of fending off attacks on trusted environments originating from malicious software executing within other environments. While such attacks can take many forms some of the most insidious do not involve direct attacks on a trusted environment but instead rely on mimicry to convince the user that they are interacting with a trusted environment. Because typical computing systems represent multiple environments by using a separate user interface (UI), usually one or more distinct graphical windows, for each environment, malicious entities that can mimic a trusted environment's UI or window can readily deceive a user into believing he or she is interacting with the trusted environment. Providing users with a truly robust trusted computing environment requires that users can readily recognize and distinguish the trusted environment's UI from the UIs of other environments present on the system.
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate one or more implementations consistent with the principles of the invention and, together with the description, explain such implementations. The drawings are not necessarily to scale, the emphasis instead being placed upon illustrating the principles of the invention. In the drawings:
The following detailed description refers to the accompanying drawings. The same reference numbers may be used in different drawings to identify the same or similar elements. In the following description, for purposes of explanation and not limitation, specific details are set forth such as particular structures, architectures, interfaces, techniques, etc. in order to provide a thorough understanding of the various aspects of the claimed invention. However, it will be apparent to those skilled in the art, having the benefit of the present disclosure, that the various aspects of the invention claimed may be practiced in other examples that depart from these specific details. In certain instances, descriptions of well known devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
Computer software within a computing system runs in an execution environment provided by the computing system's software and hardware. A trusted execution environment ( or, simply, a “trusted environment”) is one that isolates and protects software running (or “executing”) within the trusted environment from all other software executing within other execution environments regardless of the privilege level(s) of the other software. A computing system's execution environments provide software process execution with a range of system privileges: for example, some software processes may have privileges providing those processes with access to system-wide control registers or with access to another process' data while other processes are not permitted such system-wide access privileges. Each execution environment has a defined level of privilege with respect to the system and processes executing within a particular environment cannot exceed that environment's privileges.
A trusted environment is one that isolates and protects any software process executing within it and that supports sealing of data to processes within it. A trusted environment has the ability to seal and/or isolate data within the trusted environment such that the data can only be read or used within the trusted environment to which the data was sealed. For example, while the invention is not limited in this respect, one method for sealing a trusted environment's data is to encrypt the data using a secure encryption algorithm and to use a message authentication code to detect modifications. A trusted environment's sealed data can be stored in system memory or otherwise persisted within the system without exposing that data to observation or undetectable alteration by other system environments. Sealed data cannot be accessed or altered by any other execution environment (trusted or otherwise) without detection by the trusted environment.
A trusted environment supports trusted input and trusted output. Trusted input is user input (e.g. input from a keyboard or other user-operated I/O device) that is guaranteed to only be accessible from a trusted environment. Trusted output is system output (e.g. graphics output to a display) that is likewise guaranteed to only be accessible or generable from a trusted environment. A trusted user interface (or trusted UI) is a graphical user interface that supports one or more trusted environments using trusted input and trusted output. A trusted UI includes UI elements (or simply, “elements”) as the visual components of the trusted graphical user interface. A trusted UI's elements include, but are not limited to, windows, icons, links and the like. Further, UI elements may contain content areas and non-content areas.
Content areas of a UI element contain content or data of interest to the user and may include, but are not limited to, areas where information such as the software process' application name, output text and fields for user input are displayed. For example, content areas include, but are not limited to, the window's title bar and content pane. Non-content areas of a UI element include, but are not limited to; sizing borders, min/max restore widgets etc. UI elements are considered to be higher level than the bitmap images they are derived from in that they exist as defined components in a trusted UI's graphical display system rather than simply as a collection of data bits in the system's display buffer. In the display context, the elements of a trusted UI need to provide the user with the ability to distinguish which trusted environment a given element belongs to when the user observes that element. In the input context, a trusted UI needs to assure that input data associated with a given UI element is only available to the trusted environment associated with that element.
A UI has system focus when it is the UI within the system actually receiving user input. Only one UI can have system focus at any one time although in a system composed of multiple subsystems each subsystem may provide one of its own UIs with subsystem focus at any given time. When a trusted UI has a UI element with focus then only software running in that particular trusted UI and associated with that UI element can read the user input provided to the UI element.
System 100 may include a processor 102, memory 104, a bus 106, an I/O interface 108, a network interface 109, a display controller or graphics interface 110, a display 112, and multiple graphical user interfaces (UIs) 114 and 116. Processor 102 may be coupled to bus 106 for communicating with other system devices such as memory 104 and graphics interface 110. Bus 106 may be a peripheral component interconnect (PCI) bus although the invention is not limited in this respect. I/O interface may permit processor 102 or graphics interface 110 to communicate with I/O devices (not shown) such as a Bluetooth® wireless universal asynchronous receiver/transmitter (UART) or a universal serial bus (USB) linked to USB-compliant external devices although the invention is not limited in this regard.
While memory 104 and graphics interface 110 may be physically separated from processor 102 the invention is not limited in this respect and encompasses, for example, embodiments wherein memory and/or the graphics interface are embedded within processor 102. Moreover, all or portions of the components of system 100 may be incorporated within a single integrated circuit (IC) “system on a chip” or incorporated into a collection of IC's interconnected to form a “package” without departing from the scope or spirit of the claimed invention.
Both I/O interface 108 and network interface 109 may comprise any suitable interface controllers to provide for any suitable communication link to different components of the system 100. For example, I/O interface 108 may communicatively couple system 100 to one or more suitable integrated drive electronics (IDE) drives, such as a hard disk drive (HDD) or compact disc read only memory (CD ROM) drive to store still or video image data and/or software instructions. I/O interface 108 may also communicatively couple system 100 to one or more suitable universal serial bus (USB) devices through one or more USB ports, an audio coder/decoder (codec), and a modem codec, to name just a few examples. I/O interface 108 may, in one implementation, also provide an interface to a keyboard, a mouse, and one or more suitable devices, such as a printer for example, through one or more ports. Network interface 109 may provide an interface to one or more networks external to system 100, including, for example, a local area network (LAN) permitting system 100 to be communicatively coupled, for example, to external sources providing streaming video data.
As will be further described below, software instructions stored in memory 104 and executed by processor 102 may configure system 100 to provide at display 112 visual UI elements (e.g., windows) associated with specific environments running on system 100, in particular, trusted output in the form of trusted UI 116 associated with a trusted environment executing on system 100. In one implementation, software instructions executing within processor 102 may alter the appearance of the trusted environment's trusted UI 116 to differentiate trusted UI 116 from other UIs, trusted or not, such as UI 114 presented on display 112. When trusted UI 116 contains transparent portions and is positioned on display 112 such that it is in front of and overlaps with UI 114, system 100 may present trusted UI 116 such that UI 114 cannot be seen through the transparent portions of the trusted UI 116. In addition, system 100 may display one or more visual UI elements of the trusted environment having focus, such as UI 116 in front of or on top of the visual UI elements of other environments, such as UI 114. To better illustrate the invention, a more detailed description of an implementation of trusted UI 116 will now be provided.
While the implementation shown in
A user of system 100 may choose image 200 for use in presenting trusted UI 116 so that the user may recognize that UI 116 originates from a trusted environment when the user observes UI 116. Display output 300 of display 112 may include trusted UI 116, UI 114, as well as a “desktop” menu bar and assorted icons as may typically appear in display output 300 when system 100 uses a windows-based operating system such as Microsoft® Windows XP®. While the UI visual elements shown in
In the implementation of
Additional implementations may allow trusted UI 116 of system 100 to retain its trustworthiness even when UI 116 is not the UI having system focus (i.e. is not receiving user input and thus is not top-most). For example, although the invention is not limited in this regard, circumstances may arise where UI 114 has system focus (i.e. is receiving user input) and may partially obscure the visual elements of trusted UI 116 including content panes 308. To ensure that a user of system 100 may ascertain the trustworthiness of UI 116 even though UI 116 does not have system focus, an additional implementation may extend the application of image 200 in UI 116 to include the use of image 200, or portions or multiple copies of image 200, as a background image behind other content-bearing visual elements such as, but not limited to, title bar 306. Moreover, other implementations may extend the use of image 200, or portions or multiple copies of image 200 to other, non-content bearing visual elements of UI 116, such as scroll bar 312.
Processing may begin with the selection, by a user of system 100, of an image to be associated with a trusted computing environment [act 402]. The image (e.g., image 200) may be selected by a user based on that image's uniqueness and recognizability to the user in order to provide user recognition of the trustworthiness of trusted UI 116. To preserve trustability, the image chosen or selected in act 402 may be selected by the user using system 100 when system 100 is in a trusted state or when the image is selected from within a trusted computing environment. System 100 may be in a trusted state by being in an initial trusted state or by being placed in a state whose trust may be verified. System 100 may be in an implicitly trusted state when first used (e.g. just unboxed). The image may also be selected when the system 100 is in a state that the user believes is not under attack.
Processing may continue with the selected image being sealed by system 100 within the trusted environment associated with the trusted UI 116 [act 404]. System 100 may then apply the selected and sealed image to form at least a portion of the background of at least one of the visual elements, such as at least a portion of the background 316 of content panes 308, of trusted UI 116 [act 406].
Processing may continue with the user modifying the selected image [act 504]. The image modification undertaken in act 504 may include, but is not limited to, cropping, stretching, sharpening or otherwise modifying the image characteristics of the image selected in act 502. Alternatively, system 100 may alter the image selected in act 502 or system 100 may alter the selected image in addition to any alteration the user may have performed on the image. System 100 may alter the color saturation or brightness of the image so that the visual element is easier to read over the background selected image. In act 506 the modified image may be sealed within the trusted environment associated with trusted UI 116. System 100 may then apply the selected and sealed image to form at least a portion of the background of at least one of the visual elements, such as at least a portion of the background 316 of content panes 308, of trusted UI 116 [act 508].
Additional implementations may include modifying the visual element to make the background selected image easier to detect. System 100 may alter the transparency of the visual element, so that the background selected image could be detected in the background behind the visual element. In addition, system 100 could make the modifications to the visual element and the background selected image dependent upon each other. For example, the background visual element may have higher color saturation in portions of the visual element that are mostly white space. The color choices of the visual element and the background selected image may be modified so that they do not interfere with readability and detection.
Additional implementations may include modifying the selected image after the selected image is sealed within the trusted computing environment. Such post-sealing modification may be undertaken by the user, the system, or both the user and the system. In such an implementation the modified image may be re-sealed within the environment and replace the original image. The user may choose to make this change on a periodic basis, say every 6 months, or to change the image if the user suspects that someone he doesn't trust has seen the image or had an opportunity to photograph the image. Moreover, in general, the system may modify the selected image, with or without user participation, before or after sealing to, for example, make the selected image more visually appealing although the invention is not limited in this regard. If the system modifies the selected image it may inform the user of the modification so that the user can recognize the modified image.
The acts shown in
The foregoing description of one or more implementations consistent with the principles of the invention provides illustration and description, but is not intended to be exhaustive or to limit the scope of the invention to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practice of various implementations of the invention.
For example, the system, apparatus and methods for displaying a trusted user interface using background images described herein are not limited to systems or apparatus where the graphics interface communicates image data to the display over buses or cables. Rather, the claimed invention also contemplates a graphics interface that communicates with a display using wireless technologies while maintaining system security or trust. Also, although described in terms of a discrete graphics interface, in some implementations the graphics interface may be imbedded within a larger general purpose processor or system. For example, the graphics interface may be embedded along with a processor, buses, I/O interface, etc., within a single integrated circuit chip or a “system on a chip.” Clearly, many other implementations may be employed to provide for displaying a trusted user interface using background images consistent with the claimed invention.
No element, act, or instruction used in the description of the present application should be construed as critical or essential to the invention unless explicitly described as such. Also, as used herein, the article “a” is intended to include one or more items. Where only one item is intended, the term “one” or similar language is used. Variations and modifications may be made to the above-described implementation(s) of the claimed invention without departing substantially from the spirit and principles of the invention. All such modifications and variations are intended to be included herein within the scope of this disclosure and protected by the following claims.
