Patent Grant
9232176
The present invention relates generally to a system and method for securing computer systems with otherwise non-secure subsystems, more particularly including providing security functionality for video and audio computer subsystems.
Conventional computing devices typically include one to many conventional types of input/output (I/O) ports for communicating with connectable external devices such as mice, keyboards, wireless modems, thumb drives, hard drives, etc., as well as internal devices such as hard drives and SSD drives. Conventional computing devices typically further include subsystems for inputting and outputting audio and video streams such as music, videos, video chat and conferences, presentations, etc.
However, the specifications for these I/O and multimedia interfaces and subsystems typically do not provide for security functions such as authentication and verification. Meanwhile, there are a number of applications such as corporate video conferencing that would greatly benefit from efficient provision and management of security over such multimedia interfaces and subsystems.
In general, embodiments of the invention include methods and apparatuses for securing otherwise unsecured computer audio and video subsystems. Embodiments of the invention perform watermarking of video and/or audio data streams output by a computer system. Additional security features that are included in embodiments of the invention include fingerprinting, snooping, capturing streams for local or remote analytics or archiving, and mixing of secure system content with local audio and video content.
In accordance with these and other aspects, a computing device according to embodiments of the invention includes a host processor subsystem including a CPU and an audio and video subsystem for producing audio and video outputs for playback and display on associated audio and video output devices, wherein the audio and video outputs include audio and video data produced by an operating system and application software running on the CPU of the host processor subsystem, and a secure audio and video subsystem that receives the audio and video outputs from the host processor subsystem and controls an actual playback and display of the audio and video outputs on the associated audio and video output devices.
These and other aspects and features of the present invention will become apparent to those ordinarily skilled in the art upon review of the following description of specific embodiments of the invention in conjunction with the accompanying figures, wherein:
The present invention will now be described in detail with reference to the drawings, which are provided as illustrative examples of the invention so as to enable those skilled in the art to practice the invention. Notably, the figures and examples below are not meant to limit the scope of the present invention to a single embodiment, but other embodiments are possible by way of interchange of some or all of the described or illustrated elements. Moreover, where certain elements of the present invention can be partially or fully implemented using known components, only those portions of such known components that are necessary for understanding the present invention will be described, and detailed descriptions of other portions of such known components will be omitted so as not to obscure the invention. Embodiments described as being implemented in software should not be limited thereto, but can include embodiments implemented in hardware, or combinations of software and hardware, and vice-versa, as will be apparent to those skilled in the art, unless otherwise specified herein. In the present specification, an embodiment showing a singular component should not be considered limiting; rather, the invention is intended to encompass other embodiments including a plurality of the same component, and vice-versa, unless explicitly stated otherwise herein. Moreover, applicants do not intend for any term in the specification or claims to be ascribed an uncommon or special meaning unless explicitly set forth as such. Further, the present invention encompasses present and future known equivalents to the known components referred to herein by way of illustration.
According to general aspects, embodiments of the invention enable providing security functionality and management over otherwise unsecured audio and video data streams output by a computer device. According to one aspect, embodiments of the invention implement watermarking of audio and video data generated by the computer device's audio and video subsystems. Additional security features that are included in embodiments of the invention include fingerprinting, snooping, capturing streams for local or remote analytics or archiving, mixing of secure system content with local audio and video content, biometric security (e.g. face recognition, retina scans, or other image analysis), video surveillance (e.g. using a computer's webcam) and video conferencing. According to certain additional aspects, the security functions performed by embodiments of the invention can be logically transparent to the upstream host and to the downstream device.
In one non-limiting example configuration according to embodiments of the invention, secure computers 120 are standalone computer systems, similar to conventional desktop, laptop or pad computers. In such an example, host processor system 102 is implemented by a CPU (e.g. x86), a conventional operating system such as Windows and associated device driver software. In accordance with certain aspects of the invention, in this example, the operation and functionality of secure processor system 104 is completely transparent to the host processor system 102 and associated operating system and application software. Moreover, the operating experience of secure computer 120 by a user is identical to the experience of a conventional desktop, laptop or pad computer, apart from the security functionality of the present invention. So while the application software that can run on the computer is virtually unrestricted, the contents of audio and video streams output by computer 120 are controlled, stored and analyzed by subsystem 104 which enforces security policies as will be described in more detail below.
In these and other embodiments, subsystem 104 is preferably an embedded system. As such, it runs a designated software system furnished together with an embedded processor, and the software cannot be modified by the end-user of the computer under any circumstances. In embodiments, however, certain functionality performed by subsystem 104 may be configured by the end-user if permitted by management system 106. According to aspects of the present invention, subsystem 104 is responsible for performing security functions such as watermarking of audio and video data streams.
Although aspects of the invention will be described in more detail herein in connection with an example implementation of secure computer 120 as a standalone desktop or laptop PC, the invention is not limited to this example implementation. Rather, secure computer 120 can be an enterprise or industrial PC, point of sale PC, thin client, media player, or any appliance or computer device that requires advanced levels of data security, integrity and collaboration.
As shown in the example of
The audio/video subsystems of host processor systems 102 can include audio and video capture devices such as cameras, webcams, microphones, audio devices with analog Line-In interfaces, and digital audio players via USB. The audio/video subsystem of host processor systems 102 can also include a conventional graphics controller for formatting and outputting audio and video produced by the host operating system and application software.
As shown in the example of
An example architecture for implementing secure processor system 104 together with host processor system 102 in a secure computer 120 is described in co-pending application Ser. No. 13/971,677, the contents of which are incorporated by reference herein. Those skilled in the art will understand how to implement the principles of the present invention in various configurations of secure computer 120 after being taught by the present disclosure.
According to general aspects, in embodiments of the invention, remote management system 106 is responsible for managing policies that can include lists of allowed devices as well as their type and level of security. Based on these lists, and audio/video devices included in computer 120, remote management system 106 sends appropriate configuration information such as how and whether or not to perform watermarking of certain or all audio or video data streams, how to mix various audio and video streams, which streams to send to system 106 for storage and/or further analysis, which analytics to perform, etc., to subsystem 104 via channel 108.
Various aspects of a remote management system and/or security policies that can be adapted for use in the present invention are described in more detail in co-pending application Ser. No. 13/971,711, the contents of which are incorporated herein by reference in their entirety.
Channel 108 can be implemented in various ways, possibly depending on the number and type of devices to be managed by system 106. Channel 108 can be a separate direct point-to-point link between system 106 and secure processor system 104. In other embodiments, channel 108 can be implemented by a transmission medium that is shared between many systems 104. In these and other embodiments, the medium can be any combination of wired or wireless media, such as Ethernet or Wireless LAN. In these and other embodiments, channel 108 can be implemented by various types and/or combinations of public and private networks using proprietary protocols running on top of conventional protocols such as UDP or TCP. In embodiments, data sent over channels 108 is encrypted, or sent over secure VPN to improve security.
Communication channel 108 according to embodiments of the invention supports two logical channels. One channel is responsible for secure transmission of security configuration information from remote management system 106 to secure processor subsystems 104, and status and command messages between subsystems 104 and management system 106. This channel also carries compressed video and audio data from subsystems 104 to system 106 for storage, analysis and/or monitoring. A second logical channel carries video and/or audio data streams from remote management system 106 for display on secure computers 120 (e.g. audio/video conferencing sessions with other secure or non-secure computers managed by system 106).
A block diagram showing an example video subsystem 200 that can be included in audio/video subsystem 122 according to embodiments of the invention is shown in
As shown in the example of
According to aspects of the invention, video 212 and 214 can originate from either the host processor system 102 or the secure processor system 104 (either directly or from remote system 106). Although
As shown, embodiments of video subsystem 200 include an alpha blender and resizer block 218. Generally, it performs mixing (e.g. alpha-blending) of the multiple sources of video 212 and 214. Block 218 can also perform resizing, cropping, and moving individual layers respectively corresponding to each video source. Resizing, cropping, and moving operations can be performed independently for each video source.
The final video output from block 218 is thus an alpha-blended mix of all the individual layers. These layers can include, for example, a Windows Desktop from the host processor system 102, decoded video from system 106 (e.g. for a video conference), local video from a camera and an OSD (e.g. graphics/text) layer that is generated by the secure processor 104. In embodiments, block 218 also draws a control window for each of the individual layers that includes controls and/or control regions for moving and resizing the layers. Switching between individual layers can be controlled by keyboard or mouse. For example, various key combinations (e.g. hot keys) can be used to switch keyboard and mouse control between the windows of the respective layers (and also perhaps between host processor system 102 and secure processor 104). An application running on secure processor system 104 responds to these key combinations and the user's manipulation of control window controls to allow the user to modify which windows he wants to see, how, resize them, close them, etc.
It should be appreciated by those skilled in the art that the monitor, secure processor system 104, and host processor system 102 may not always have the same video resolution. There are various ways the video resolutions may differ. For example, the user can change the monitor resolution on the monitor itself or can replace monitor with a new one having a different resolution. As another example, the user can change monitor resolution through an operating system configuration such as that available in Windows. Accordingly, as shown in
As further shown in
Embodiments of video subsystem 200 such as that shown in
Watermarking block 222 can also perform fingerprinting. Fingerprinting is essentially tagging or hashing of the picture for forensic purposes, such as accountability, traceability, digital rights management, etc.
Embodiments of video subsystem 200 as shown in
Analyses performed by analytics block 224 can include video analytics that can detect motion, recognize and track objects, detect certain scenarios, etc. These analyses can be used in real-time to trigger alarms or even limit (or deny) further use of the computer 120 by the user (e.g. through communications with system 106 pursuant to an alarm). Analytics block 224 can also selectively capture video from a webcam or other camera and send it system 106 as part of a facility's overall security (video surveillance) system.
Analyses performed by analytics block 224 can additionally or alternatively include face recognition of an end-user based on analysis of video from a webcam directed at the end-user. Based on such analysis, and/or communications with system 106, secure subsystem 104 could shut down the computer 120 if a different user's face is detected for over a certain period of time, for example.
Analyses performed by analytics block 224 can additionally or alternatively include performing OCR on an application window generated by host processor subsystem 102, for example to identify which applications a user is running For example, if the application is a web browser, OCR can be performed to determine which URL is being accessed. Such OCR can further be used to identify what the user is currently reading/writing on the screen, and/or to search for keywords (e.g. detect document classification levels not permitted for the user to see, restricted financial data, inappropriate material for workplace, terror activity, etc.).
It should be appreciated that any or all of the above-described functionality of block 224 can be implemented instead on system 106 based on data sent to system via blocks 226 and 228.
Although not shown specifically in
Additional video subsystem 200 applications according to these and other embodiments of the invention are provided below.
Secure video conferencing: For example, say there are two participants for a video conference—a Local participant (e.g. end-user of computer 120-1) and a Remote participant (e.g. end-user of computer 120-2). Block 224 selectively captures, and block 226 encodes a camera stream and sends it over the network to system 106, where it is relayed to the remote participant. The stream is also processed by blocks 218, 220 and 222 for display on the local monitor (for “self view”). Block 216 also decodes compressed video received from system 106 over the network and originating from the remote participants computer (e.g. another secure computer 120-2) and blocks 218, 220 and 222 process it for display on the local monitor.
It should be appreciated that, in addition to the local user's camera input being compressed and sent to the remote user via blocks 224, 226 and 228, his local desktop generated by host processor subsystem 102 can also be selectively captured by block 224, encoded and shared with the remote user(s) via blocks 226 and 228 (i.e. desktop sharing).
According to certain aspects, this conferencing system can be a better alternative than a PC-based application for several reasons. For example, it runs on secure processor subsystem 104 instead of an application running on host processor subsystem 102, thereby offloading some of the required compute resources, and providing a more reliable high-quality connection. It further does not require any special installation and is always available.
Remote desktop: Block 224 captures the desktop video output produced by host processor subsystem 102 and it is compressed by block 226 and sent out over the network by block 228 for a remote user associated with system 106 (e.g. help-desk, IT administrator) to view. Such a remote user can also take over control of the computer 120's keyboard and mouse using the USB keyboard and mouse emulation. For example, the remote user's keyboard and mouse inputs are sent over the network to secure computer subsystem 104 and translated as though they are coming from the keyboard and mouse of computer 120.
The video overlay functions supported by embodiments of alpha blender and resize block 218 according to the invention are shown in more detail in
As shown in
Each video source is independently resized and weighted by blocks 302 and 304, respectively. The values and coordinates for each resizing and weighting operation can be controlled by an end-user using an application running on secure processor subsystem 104 as described above. Additionally or alternatively, these coordinates and weights can be configured directly by subsystem 104, either by itself or as configured by system 106.
The resized and weighted video sources are provided to alpha blender 306. The operation of alpha blender and resize block 218 is further illustrated in
As should be appreciated by those skilled in the art, the overlay of one video block over another need not be completely opaque. Rather, based on weighting values applied by blocks 304, alpha blender 306 can include perform blending of colors such that an overlaid image may be partially visible.
An example audio subsystem that can be included in audio/video subsystem 122 according to embodiments of the invention is illustrated in
As shown, this example of audio subsystem 500 of secure processor system 104 includes an upstream audio codec 522 coupled to host processor subsystem 102, an audio mixer 524 and a downstream audio codec 526 coupled to computer 120 audio outputs such as headphones and speakers and audio inputs such as microphone and Line-In. In embodiments, audio codecs 522 and 526 can be implemented as stand-alone chips outside of a FPGA or ASIC containing other secure processor system 104 functionality in order to support analog audio.
There are several protocols that carry audio information in digital and analog forms over the audio path in
Mixer 524 is shown in
Similar to video subsystem 200, the function of audio subsystem 500 is essentially to receive audio from various audio sources, process the audio and send the processed audio to various audio destinations.
As shown in the example of
Audio encoder/decoder 624 receives the audio inputs from host processor subsystem 102 and computer 120 and performs the appropriate formatting and buffering. For example, it extracts audio from the HDMI stream, and converts it to the same format used by 626 and 524. The output of block 624 is provided to sample rate conversion block 626 for performing any necessary conversions of sample rate between input and output audio streams, and mixer 524.
As further shown in
Mixer 524 receives all of the audio inputs and produces mixed audio output(s). These can include analog outputs that are sent to host processor subsystem 102 via upstream I2S Codec 522 or digital outputs sent via HDMI or HDA, for example. The audio outputs can also include compressed or encoded audio (e.g. MP3) sent to system 106 via networking block 632 (e.g. for storage or for conferencing or remote desktop applications). It should be noted that audio compression/encoding can be performed by the secure processor system 104 or offloaded to an audio compression engine. Still further, the audio outputs can also be analog audio sent to computer 120's audio outputs such as a monitor (e.g. HDMI) or speakers and/or headphone via downstream I2S codec 526, for example.
Although not shown in
Embodiments of audio subsystem 500 operate in two modes: conference and high quality mode. When in video conference mode the audio mixer 524, acoustic echo canceller and CODECs 522, 526 are tuned to operate at low sampling rate (for example 8 kHz) to minimize the amount of sample rate conversion needed, thus reducing the load on the processor and overall system latency. When in a high quality mode the mixer 524 and CODECs 522, 526 are tuned to operate at high sample rate (for example, 48 kHz). Sample rate converter 626 performs the necessary sample rate conversion (e.g. to 8 kHz or 48 kHz) based on the sample rates of the input audio streams.
It should be noted that audio/video subsystem 122 of secure subsystem 104 also ensures that output audio streams are synchronized with any corresponding output video streams. This can be done, for example, by combining both of the encoded streams produced by subsystems 200 and 500 into a single bitstream (e.g. MPEG TS (transport stream)). Real-time playback on computer 120 is managed by the secure processor subsystem 104.
Although the present invention has been particularly described with reference to the preferred embodiments thereof, it should be readily apparent to those of ordinary skill in the art that changes and modifications in the form and details may be made without departing from the spirit and scope of the invention. It is intended that the appended claims encompass such changes and modifications.
The present application claims priority to U.S. Prov. Appln. No. 61/772,472, filed Mar. 4, 2013, the contents of which are incorporated by reference herein in their entirety.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4598170 | Piosenka et al. | Jul 1986 | A |
| 5191542 | Murofushi | Mar 1993 | A |
| 5598209 | Cortjens et al. | Jan 1997 | A |
| 5724027 | Shipman et al. | Mar 1998 | A |
| 5946469 | Chidester | Aug 1999 | A |
| 6028643 | Jordan et al. | Feb 2000 | A |
| 6061794 | Angelo et al. | May 2000 | A |
| 6088802 | Bialick et al. | Jul 2000 | A |
| 6453420 | Collart | Sep 2002 | B1 |
| 6457164 | Hwang et al. | Sep 2002 | B1 |
| 6507914 | Cain et al. | Jan 2003 | B1 |
| 6546491 | Challener et al. | Apr 2003 | B1 |
| 6594780 | Shen et al. | Jul 2003 | B1 |
| 6725438 | Van Ginneken | Apr 2004 | B2 |
| 6782424 | Yodaiken | Aug 2004 | B2 |
| 6820160 | Allman | Nov 2004 | B1 |
| 6922817 | Bradfield et al. | Jul 2005 | B2 |
| 7120892 | Khol et al. | Oct 2006 | B1 |
| 7149992 | Chang et al. | Dec 2006 | B2 |
| 7240303 | Schubert | Jul 2007 | B1 |
| 7320071 | Friedman et al. | Jan 2008 | B1 |
| 7330891 | Yodaiken | Feb 2008 | B2 |
| 7337100 | Hutton et al. | Feb 2008 | B1 |
| 7340700 | Emerson | Mar 2008 | B2 |
| 7350204 | Lambert et al. | Mar 2008 | B2 |
| 7396257 | Takahashi | Jul 2008 | B2 |
| 7469343 | Ray | Dec 2008 | B2 |
| 7478235 | England et al. | Jan 2009 | B2 |
| 7516217 | Yodaiken | Apr 2009 | B2 |
| 7635272 | Poppe | Dec 2009 | B2 |
| 7677065 | Miao | Mar 2010 | B1 |
| 7962755 | Pizano et al. | Jun 2011 | B2 |
| 7987497 | Giles et al. | Jul 2011 | B1 |
| 8402529 | Green et al. | Mar 2013 | B1 |
| 8429419 | Endrys | Apr 2013 | B2 |
| 8566934 | Srivastava | Oct 2013 | B2 |
| 8576282 | Salgar et al. | Nov 2013 | B2 |
| 8606971 | Cain et al. | Dec 2013 | B2 |
| 8627106 | Pizano et al. | Jan 2014 | B2 |
| 20020007456 | Peinado et al. | Jan 2002 | A1 |
| 20020057795 | Spurgat et al. | May 2002 | A1 |
| 20020069396 | Bhattacharya et al. | Jun 2002 | A1 |
| 20040199879 | Bradfield | Oct 2004 | A1 |
| 20050240892 | Broberg et al. | Oct 2005 | A1 |
| 20070101387 | Hua et al. | May 2007 | A1 |
| 20070153091 | Watlington et al. | Jul 2007 | A1 |
| 20070169156 | Zeng | Jul 2007 | A1 |
| 20070255963 | Pizano et al. | Nov 2007 | A1 |
| 20080091833 | Pizano et al. | Apr 2008 | A1 |
| 20080130944 | Johnson et al. | Jun 2008 | A1 |
| 20080247540 | Ahn et al. | Oct 2008 | A1 |
| 20080263658 | Michael et al. | Oct 2008 | A1 |
| 20090013111 | Berland et al. | Jan 2009 | A1 |
| 20090033668 | Pederson et al. | Feb 2009 | A1 |
| 20090062008 | Karmarkar | Mar 2009 | A1 |
| 20090212844 | Darmawan et al. | Aug 2009 | A1 |
| 20090254572 | Redlich et al. | Oct 2009 | A1 |
| 20100024004 | Boegelund et al. | Jan 2010 | A1 |
| 20100192230 | Steeves et al. | Jul 2010 | A1 |
| 20100201400 | Nardone et al. | Aug 2010 | A1 |
| 20110102443 | Dror et al. | May 2011 | A1 |
| 20110107379 | Lajoie et al. | May 2011 | A1 |
| 20110131423 | Ponsini | Jun 2011 | A1 |
| 20110158609 | Gravoille | Jun 2011 | A1 |
| 20110258460 | Pizano et al. | Oct 2011 | A1 |
| 20120017197 | Mehta et al. | Jan 2012 | A1 |
| 20120176545 | Estrop et al. | Jul 2012 | A1 |
| 20120192129 | Bowers | Jul 2012 | A1 |
| 20120327181 | Thapa | Dec 2012 | A1 |
| 20130022948 | Angell et al. | Jan 2013 | A1 |
| 20130067534 | Soffer | Mar 2013 | A1 |
| 20130212671 | Wang et al. | Aug 2013 | A1 |
| 20130238908 | Pizano | Sep 2013 | A1 |
| 20140010366 | Quinn et al. | Jan 2014 | A1 |
| Number | Date | Country |
|---|---|---|
| 2517144 | Jul 2011 | EP |
| 2407905 | Jan 2012 | EP |
| Entry |
|---|
| Garfinkel, “Terra: A Virtual Machine-Based Platform for Trusted Computing”, ACM SOSP, Proc. of the ACM Symp. on Operating system Printciples, Oct. 22, 2003, pp. 193-206. |
| Landau, et al., “SlitX: S;lit Guest/Hypervisor Execution on Multi-Core”, 3rd Workshop of IO irtualization, Jun. 14, 2011, pp. 1-7. |
| International Search Report issued Jul. 18, 2004 in corresponding PCT/US204/20135. |
| Number | Date | Country | |
|---|---|---|---|
| 20140248039 A1 | Sep 2014 | US |
| Number | Date | Country | |
|---|---|---|---|
| 61772472 | Mar 2013 | US |
