Patent Grant
10462185
This application is entitled to the benefit of, and claims priority to U.S. Provisional Application 62/046,640, filed on Sep. 5, 2014.
The present invention relates to the technical fields of Computer security, Mobile Computing, Telecommunications, Digital Communications, and Computer Technology.
Recent years have brought the emergence and rapid proliferation of mobile computing devices such as mobile telephones or “handsets” with extensive computing, communication, and input and interaction capabilities (“smart phones”) plus growing array of other mobile computing devices such as touchscreen tablets, “netbooks”, electronic document readers, and laptops in a wide range of sizes with wireless and wired communication capabilities. This proliferation of mobile devices has been accompanied by complementary advances in development and adoption of long range wireless broadband technologies such as 3G and 4G, as well as commonplace deployment of shorter range wireless technologies such as the 802.11 series of wireless standards and “Bluetooth” short range wireless, all with considerable bandwidth. These technologies span multiple radio frequency bands and protocols. Alongside the radio transceivers for such communications capabilities, many of these devices also contain an array of onboard sensors such as cameras, microphones, and GPS receivers plus other locating technologies, as well as considerable fixed-onboard and removable memory for information and multimedia storage. Furthermore, smartphones and similar devices are typically capable of running a wide variety of software applications such as browsers, e-mail clients, media players, and other applications, which in some cases may be installed by the user.
Along with the profusion of smartphones and other mobile, wireless-capable devices, there has also been a dramatic increase in the use of social networks and related technologies for information sharing for consumer as well as for professional uses. Because social network applications on mobile devices tend to use an extensive array of sensors and features, access to the applications and services has heightened concerns about individual, government, and corporate information security, and about possibilities for privacy violations and other unintended and undesirable information sharing. Furthermore, the possible professional and personal use of any given handset presents a complex set of usage contexts under which rules for device capability usage and information access need be considered.
Such sophisticated and capable smartphones and similar devices, along with the vast amounts of information that they can contain and access, present a large set of potential security vulnerabilities (a large “attack surface”) that might allow information to be accessed by malicious parties or allow undesirable use and exploitation of device capabilities for malicious purposes such as “phishing” fraud, other online fraud, or inclusion in botnets for spam transmission, denial-of-service attacks, malicious code distribution, and other undesirable activities. Furthermore, compared with conventional desktop personal computers, smartphone handsets by nature are small and portable and thus more easily stolen. Portability also means that the devices will encounter security contexts that cannot be foreseen, and which may only occur the one time they are used.
Privacy concerns have also grown significantly, given the network capabilities of the devices as well as in some cases the presence of cameras, microphones, and other sensors that may capture sensitive information. The mobile threat landscape is complex and presents a vast set of extant and emergent security and privacy concerns. There is, therefore, a growing need to improve upon not only the degree of protection provided by components and systems that enhance the security of mobile devices, but also to improve on the security of such security-related components and systems themselves, so that both they and the devices and the information that they protect are more robust and are better able to withstand attempts to thwart or otherwise compromise them.
What is needed is a system that facilitates secure communications (transmission) and execution of code that is compatible with handheld and mobile devices and other constrained devices such as those in the “Internet of Things” which refers to unconventional devices that may connect to the Internet. It must be capable of easily reconfiguring for different security contexts, and it must allow every application, sensor, or asset on the device to be managed separately.
One key approach to defending these security-related systems and components from malicious attack and to prevent undesired information disclosure is to have all or parts of the valued information and executable code reside within especially secure areas, partitions, or environments on device hardware that are designed to be inaccessible to unauthorized parties and/or for unauthorized purposes, and are separated from the main device operating system and, in some cases, from certain of its resources. Examples of such secure environments are the Trusted Execution Technology by Intel Corporation http://intel.com, and the TrustZone® by ARM Ltd. http://arm.com. However, none of these allow the independent management of each application, sensor, and asset on the device according to a specified security context. Granular security policy can only be accomplished if each asset/component can be managed independently. A further degree of security can be provided if such secure partitions or areas are also invisible and undetectable to the greatest degrees possible under unauthorized circumstances and by unauthorized parties. The present document describes novel uses and applications of such secure environments (SEs) and secured capabilities.
The invention disclosed herein describes a system for a secure environment for code execution and communication (transmission) that operates on mobile or handheld devices but may operate on other computing devices as well. It uses a secure partition approach whereby encrypted files of executable code are identified, cleared for execution by an adjudicating component based on an enforced security policy, and then disposed of after use.
U.S. Pat. No. 10,169,571 discloses a system for policy-based access control and management for mobile computing devices. That application is included by reference as if fully set forth herein. The basic system presented in that application is summarized in
Among the additional desired capabilities are secure dissemination of software code into the secure environment, and managed, secure execution of code within the secure environment. These capabilities can be provided in the following way. First, we note that our system as described in U.S. Pat. No. 10,169,571 provides a secure means of communication via a “backchannel” between server and handset using a UDP harness or other transmission protocol, and employing data encryption. A set of data, hereinafter referred to as a “blob”, is caused to be present in the secure area either via the secure backchannel or by other secure means. The blob contains a special identifier, such as a “magic number”, that designates the blob as containing executable code for special handling. Content in the blob may be encrypted if desired. Encryption may be performed by means such as asymmetric or symmetric encryption, or by other means. Detection of the presence of such a blob may be performed by a filter running as a service or task, whether scheduled, or on demand, or the detection may be accomplished by other means. The following three steps are made to occur when a blob has been detected.
1) If the file is encrypted, decrypt the file
2) Execute the executable code in the content
3) Delete the file and any decrypted contents
The above steps may be performed through the execution of a blob handler script, or by other means. Security can be enhanced by performing these steps within the secure environment.
We can extend this secure execution capability and control and manage execution with policies by adding additional metadata to the information contained in the blob (see
1) Decrypt the metadata if it was encrypted. (302)
2) Perform a query to the PDP server (303) using the UDP harness regarding whether execution of the blob-contained code is permissible. The query includes any necessary contextual information from the handset for performing the PDP decision computation.
3) If the PDP response is to deny the execution, the second key-pair component is not provided and processing of the blob is halted. (305)
4) If the code execution of the blob-contained code is permissible, the PDP server responds with an appropriate “allow” response, and also includes the requisite key portion of the second key-pair (306), such that the executable code in the blob can be decrypted (307). With the necessary key for decryption provided, the executable code in the blob is decrypted to a file. The decrypted file is loaded into secure memory (308) and executed (309). The decrypted file is then deleted (310).
These latest steps represent fully policy-managed, secure code execution.
Beyond overall defense against malicious attack and misuse of applications and device capabilities, one of our additional goals is to minimize the potential impact of a security breach into a given application or resource. We present now a new method for limiting the possible impact of such a breach, through a container-based approach that uses an extension of our system architecture that was shown in
1. (See
2. (See
3. (See
The above variants have different resource requirements and different security implications, as follows.
First, in variant 1 above, resource usage is efficient due to sharing of the API and cache. However, the single shared resource set therein represents a large single “attack surface” to malicious parties and other unintended access attempts, and also represents a single point of failure.
Second, in variant 2 above, as compared with variant 1, resource usage will generally be greater due to individual PDP communication means and individual caches, but these separated, independent resources mean that any given TA is less susceptible to impact from an attack that may have compromised another TA in the system.
Variant 3 above is generally the most resource-expensive of the three cases, since a separate PDP instance is required for each TA, along with an independent PDP cache. However, variant 3 is also the most secure in the sense that no TAiPEPiPDPi triplet is directly impacted by, or vulnerable to, an attack on any element of a separate triplet. Variant 3 therefore gives the strongest separation of the three variants presented. If one container is breached then ideally others would not be impacted. The objective is to keep policies and resources for each TA+PEP+PDP instance separated so that cross contamination effects can be limited or mitigated.
One of the primary privacy concerns regarding modern handsets and related devices is in regard to potential undesired interception or other unauthorized viewing of interpersonal communications such as text messaging or instant messaging (IM), and email. Privacy can be enhanced by coupling together the capabilities of secure environments as described previously, and secure user interfaces, such as the Trusted User Interface (TUI) as described by the Global Platform organization (https://globalplatform.org/latest-news-overview/). Information entered with, or displayed via, a TUI, is independent of, and not accessible by, the host operating system of the device. This combination of TUI and SE thus provides an independent, secure “channel” to and from the handset user that can be utilized for IM, email, and other messaging methods and formats. We can further enhance the security and privacy of such secure messaging by coupling it with a policy-based management system such as that described in U.S. Pat. No. 10,169,571, and further, by encapsulating the messaging application in a PEP-controlled application container as described in the prior section. In this way, actions such as the transmission, reception, and display of messages can be governed, and allowed or denied as appropriate according to authored policies such as individual and corporate policy sets.
The invention pertains to securing computing devices from threats associated with the execution of code on the local device, including mobile computing devices, in any industry where that may be of value or importance. The invention includes an extension of the system to address vulnerabilities associated with interpersonal messaging to include text or instant messaging as well as email.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/US2015/048526 | 9/4/2015 | WO | 00 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2016/037048 | 3/10/2016 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 5881225 | Worth | Mar 1999 | A |
| 7140035 | Karch | Nov 2006 | B1 |
| 7240015 | Karmouch | Jun 2007 | B1 |
| 7246233 | Brabson et al. | Jul 2007 | B2 |
| 7400891 | Aaron | Jul 2008 | B2 |
| 7640429 | Huang et al. | Dec 2009 | B2 |
| 7797544 | Dillaway | Sep 2010 | B2 |
| 7941647 | Yates | May 2011 | B2 |
| 8014721 | Johnson | Sep 2011 | B2 |
| 8037318 | Tahan | Oct 2011 | B2 |
| 8127982 | Casey et al. | Mar 2012 | B1 |
| 8135385 | Ohta | Mar 2012 | B2 |
| 8176336 | Mao | May 2012 | B1 |
| 8185959 | Bellwood | May 2012 | B2 |
| 8230399 | Vertes | Jul 2012 | B2 |
| 8285249 | Baker et al. | Oct 2012 | B2 |
| 8321498 | Maes | Nov 2012 | B2 |
| 8463819 | Shashikumar et al. | Jun 2013 | B2 |
| 8468586 | Kootayi et al. | Jun 2013 | B2 |
| 8468608 | Hernacki | Jun 2013 | B1 |
| 8538843 | Smith | Sep 2013 | B2 |
| 8922372 | Soffer | Jan 2014 | B2 |
| 8688592 | Abramson | Apr 2014 | B1 |
| 8782441 | Osterwalder | Jul 2014 | B1 |
| 8880047 | Konicek | Nov 2014 | B2 |
| 8930497 | Holmes | Jan 2015 | B1 |
| 9053456 | Verthein | Jun 2015 | B2 |
| 9391782 | Mironenko | Jul 2016 | B1 |
| 9411962 | Attfield | Aug 2016 | B2 |
| 20020101826 | Giacopelli | Aug 2002 | A1 |
| 20020138814 | Katayama | Sep 2002 | A1 |
| 20030125925 | Walther | Jul 2003 | A1 |
| 20040123139 | Aiello | Jun 2004 | A1 |
| 20040123153 | Wright | Jun 2004 | A1 |
| 20040204949 | Shaji | Oct 2004 | A1 |
| 20050132202 | Billaway | Jun 2005 | A1 |
| 20050193196 | Huang | Sep 2005 | A1 |
| 20060005239 | Mondri | Jan 2006 | A1 |
| 20060026548 | Rosener | Feb 2006 | A1 |
| 20060059565 | Green | Mar 2006 | A1 |
| 20060150256 | Fanton | Jul 2006 | A1 |
| 20060236369 | Covington | Oct 2006 | A1 |
| 20060236385 | Innes | Oct 2006 | A1 |
| 20070150559 | Smith | Jun 2007 | A1 |
| 20080059633 | Hu | Mar 2008 | A1 |
| 20080085698 | Gamm | Apr 2008 | A1 |
| 20080133914 | Isaacson | Jun 2008 | A1 |
| 20080184336 | Sarukkai | Jul 2008 | A1 |
| 20080194233 | Henry | Aug 2008 | A1 |
| 20080301757 | Demarest | Dec 2008 | A1 |
| 20090031141 | Pearson | Jan 2009 | A1 |
| 20090089125 | Sultan | Apr 2009 | A1 |
| 20090100269 | Naccache | Apr 2009 | A1 |
| 20090193503 | Shevehenko | Jul 2009 | A1 |
| 20090198617 | Soghoian | Aug 2009 | A1 |
| 20090204785 | Yates, Jr. et al. | Aug 2009 | A1 |
| 20090205016 | Milas | Aug 2009 | A1 |
| 20090300174 | Floris | Dec 2009 | A1 |
| 20090327401 | Gage | Dec 2009 | A1 |
| 20100023454 | Exton | Jan 2010 | A1 |
| 20100023703 | Christie | Jan 2010 | A1 |
| 20100037311 | He | Feb 2010 | A1 |
| 20100199325 | Raleigh | Aug 2010 | A1 |
| 20100216429 | Mahajan | Aug 2010 | A1 |
| 20100250370 | Jones et al. | Sep 2010 | A1 |
| 20110055890 | Gaulin | Mar 2011 | A1 |
| 20110063098 | Fischer | Mar 2011 | A1 |
| 20110077758 | Tran | Mar 2011 | A1 |
| 20110154034 | Bailey, Jr. | Jun 2011 | A1 |
| 20110173108 | Rajasekar | Jul 2011 | A1 |
| 20110173122 | Singhal | Jul 2011 | A1 |
| 20110251958 | Aubin | Oct 2011 | A1 |
| 20110258692 | Morrison | Oct 2011 | A1 |
| 20110270751 | Csinger | Nov 2011 | A1 |
| 20120030731 | Bhargava | Feb 2012 | A1 |
| 20120129450 | Lee | May 2012 | A1 |
| 20120197743 | Grigg | Aug 2012 | A1 |
| 20120214516 | Rosenberg | Aug 2012 | A1 |
| 20120216012 | Vorbach et al. | Aug 2012 | A1 |
| 20120260086 | Haggerty | Oct 2012 | A1 |
| 20120270523 | Laudermilch | Oct 2012 | A1 |
| 20120323596 | Verhulst | Dec 2012 | A1 |
| 20120323717 | Kirsch | Dec 2012 | A1 |
| 20130007063 | Kalra | Jan 2013 | A1 |
| 20130029653 | Baker et al. | Jan 2013 | A1 |
| 20130080411 | Rolia | Mar 2013 | A1 |
| 20130097417 | Lauter | Apr 2013 | A1 |
| 20130125099 | Budiu | May 2013 | A1 |
| 20130130650 | Cheung | May 2013 | A1 |
| 20130145429 | Mendel | Jun 2013 | A1 |
| 20130212022 | Lanc | Aug 2013 | A1 |
| 20130253942 | Liu et al. | Sep 2013 | A1 |
| 20130275746 | Galdwin | Oct 2013 | A1 |
| 20130298664 | Gillette, II | Nov 2013 | A1 |
| 20140007193 | Qureshi | Jan 2014 | A1 |
| 20140013112 | Cidon | Jan 2014 | A1 |
| 20140096186 | Barton | Apr 2014 | A1 |
| 20140115659 | Attfield et al. | Apr 2014 | A1 |
| 20140143089 | Campos | May 2014 | A1 |
| 20140164776 | Hook | Jun 2014 | A1 |
| 20140173700 | Awan | Jun 2014 | A1 |
| 20140195425 | Campos | Jul 2014 | A1 |
| 20140279474 | Evans | Sep 2014 | A1 |
| 20140379361 | Mahakar | Dec 2014 | A1 |
| 20150188789 | Jayaprakash | Jul 2015 | A1 |
| 20150227925 | Filler | Aug 2015 | A1 |
| 20150271013 | Singh | Sep 2015 | A1 |
| 20150278810 | Ramatchandirane | Oct 2015 | A1 |
| 20150302409 | Malek | Oct 2015 | A1 |
| 20150304736 | Lal | Oct 2015 | A1 |
| 20150309811 | Wisgo | Oct 2015 | A1 |
| 20150312277 | Rane et al. | Oct 2015 | A1 |
| 20150334133 | Schaffner et al. | Nov 2015 | A1 |
| 20150350254 | Hendrick et al. | Dec 2015 | A1 |
| 20150358822 | Hendrick et al. | Dec 2015 | A1 |
| 20160012216 | Attfield et al. | Jan 2016 | A1 |
| 20160314296 | Martini et al. | Oct 2016 | A1 |
| 20170048714 | Attfield et al. | Feb 2017 | A1 |
| Number | Date | Country |
|---|---|---|
| EP1339199 | Aug 2003 | EP |
| PCTUS06017123 | Jan 2008 | WO |
| PCTUS08009313 | Feb 2009 | WO |
| PCTUS1470897 | Dec 2014 | WO |
| WO2015026389 | Feb 2015 | WO |
| PCTUS1524932 | Apr 2015 | WO |
| PCTUS1527561 | Apr 2015 | WO |
| PCTUS15048526 | Mar 2016 | WO |
| PCTUS1628481 | Oct 2016 | WO |
| PCTUS16032502 | Nov 2016 | WO |
| PCTUS16029144 | Feb 2017 | WO |
| Entry |
|---|
| Computer Architecture: A Quantitative Approach, Hennessy J. and Patterson, D. , 5th Ed. Morgan Kaufman (2011). |
| “Computer Networks”, Tanenbaum, A. Andrew and Wetherall, D., 5th Ed. Prentice Hall (2010. |
| “Prolog Programming: A First Course”, BRNA, P. (Mar. 5, 2001). Retrieved from <http://homepages.inf.ed.ac.ud/pbma/prolog book/> on Mar. 16, 2013. |
| NFC Forum(2007), “Near Field Communication and the NFC Forum: The Keys to Truly Interoperable Communications” (PDF), http://www.nfc-forum.org, retrieved Oct. 30, 2012. |
| Landt, Jerry (2001), “Shrouds of Time: The history of RFID”, AIM, Inc, pp. 5-7. |
| Bluetooth Special Interest Group website, “A Look at the Basics of Bluetooth Wireless Technology”, http:www.bluetooth.com/Pages/Basics.aspx, retrieved Oct. 29, 2012. |
| See e.g. H. Schildt, C ++—The Complete Reference, 2nd edition, pp. 67-70 McGraw Hall, 1995, ISBN 0-07-882123-1. |
| K. Ashton, That ‘Internet of Things’ Thing, RFID Journal Jun. 22, 2009 (available online as of Oct. 20, 2013 at http://www.rfidjournal.com/articles/view?4986). |
| T. White, Hadoop—The Definitive Guide, OReilly, 2009, ISBN 978-0-596-52197-4. |
| Nakamoto, Satoshi. “Bitcoin: A peer-to-peer electronic cash system.” Consulted Jan. 2012 (2008): 28. Obtained from http://www.cryptovest.co.ok/resources/Bitcoin%20paper%20 Original.pdf on Apr. 6, 2015. |
| Bitcoin, Inc. “What are multi-signature transactions?”, Obtained from http://bitcoin.stackexchange.com/questions 3718/ what-are-multi-signature-tranacations on Apr. 6, 2015. |
| Verilog, http://www.veriog,comm/, accessed May 12, 2914. |
| L. Woods, Zs. Istvan, G. Alonzo, Ibex(2014) An Intelligent Strorage Engine with Support for Advanced SQL Off-loading. VLDB 2014k, Hangzhou, China, Sep. 2014. |
| University of British Columbia, Department of Electrical and Computer Engineering, http://www.ece.ubc.ca//˜edc/379,ian99/lecgureslec 13.pdf, accessed May 2014. |
| IEEE P1076 Working Group. http://www.eda.org/twiki/bin/view.cgi/P1076, accessed May 12, 2014. |
| Number | Date | Country | |
|---|---|---|---|
| 20170244759 A1 | Aug 2017 | US |
